Title: [139470] trunk/Source/WebCore
- Revision
- 139470
- Author
- [email protected]
- Date
- 2013-01-11 11:35:31 -0800 (Fri, 11 Jan 2013)
Log Message
Heap-use-after-free in WebCore::RenderText::computePreferredLogicalWidths
https://bugs.webkit.org/show_bug.cgi?id=95901
Reviewed by Simon Fraser.
Prevent re-entrancy of view layout. Loading of SVG document during font load
causes it to re-enter layout and blowing the style away from underneath.
Test: Go to http://www.speckproducts.com and make sure crash does not happen.
* dom/Document.cpp:
(WebCore::Document::updateLayout):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (139469 => 139470)
--- trunk/Source/WebCore/ChangeLog 2013-01-11 19:27:39 UTC (rev 139469)
+++ trunk/Source/WebCore/ChangeLog 2013-01-11 19:35:31 UTC (rev 139470)
@@ -1,3 +1,18 @@
+2013-01-11 Abhishek Arya <[email protected]>
+
+ Heap-use-after-free in WebCore::RenderText::computePreferredLogicalWidths
+ https://bugs.webkit.org/show_bug.cgi?id=95901
+
+ Reviewed by Simon Fraser.
+
+ Prevent re-entrancy of view layout. Loading of SVG document during font load
+ causes it to re-enter layout and blowing the style away from underneath.
+
+ Test: Go to http://www.speckproducts.com and make sure crash does not happen.
+
+ * dom/Document.cpp:
+ (WebCore::Document::updateLayout):
+
2013-01-11 Kentaro Hara <[email protected]>
[V8] Do not create a local handle for a cached v8 string that is returned to V8 immediately
Modified: trunk/Source/WebCore/dom/Document.cpp (139469 => 139470)
--- trunk/Source/WebCore/dom/Document.cpp 2013-01-11 19:27:39 UTC (rev 139469)
+++ trunk/Source/WebCore/dom/Document.cpp 2013-01-11 19:35:31 UTC (rev 139470)
@@ -1899,16 +1899,24 @@
void Document::updateLayout()
{
ASSERT(isMainThread());
+
+ FrameView* frameView = view();
+ if (frameView && frameView->isInLayout()) {
+ // View layout should not be re-entrant.
+ ASSERT_NOT_REACHED();
+ return;
+ }
+
if (Element* oe = ownerElement())
oe->document()->updateLayout();
updateStyleIfNeeded();
StackStats::LayoutCheckPoint layoutCheckPoint;
+
// Only do a layout if changes have occurred that make it necessary.
- FrameView* v = view();
- if (v && renderer() && (v->layoutPending() || renderer()->needsLayout()))
- v->layout();
+ if (frameView && renderer() && (frameView->layoutPending() || renderer()->needsLayout()))
+ frameView->layout();
}
// FIXME: This is a bad idea and needs to be removed eventually.
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
