Title: [139788] trunk
- Revision
- 139788
- Author
- espr...@chromium.org
- Date
- 2013-01-15 14:14:29 -0800 (Tue, 15 Jan 2013)
Log Message
Heap-use-after-free in WebCore::RenderObject::willBeRemovedFromTree
https://bugs.webkit.org/show_bug.cgi?id=106384
Reviewed by Abhishek Arya.
Source/WebCore:
Always walk up from beforeChild until the parent() is the owner of the
child list, otherwise we can end up in situations where
newChild->parent() == owner but newChild->nextSibling()->parent() != owner
which is a recipe for security bugs. Previously we only walked up through
anonymous blocks, but missed anonymous inline blocks like those generated
by <ruby>.
Test: fast/css-generated-content/bug-106384.html
* rendering/RenderObjectChildList.cpp:
(WebCore::RenderObjectChildList::insertChildNode):
LayoutTests:
Add a test for <ruby> and generated content causing asserts and
crashes.
* fast/css-generated-content/bug-106384-expected.txt: Added.
* fast/css-generated-content/bug-106384.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (139787 => 139788)
--- trunk/LayoutTests/ChangeLog 2013-01-15 22:04:29 UTC (rev 139787)
+++ trunk/LayoutTests/ChangeLog 2013-01-15 22:14:29 UTC (rev 139788)
@@ -1,3 +1,16 @@
+2013-01-15 Elliott Sprehn <espr...@chromium.org>
+
+ Heap-use-after-free in WebCore::RenderObject::willBeRemovedFromTree
+ https://bugs.webkit.org/show_bug.cgi?id=106384
+
+ Reviewed by Abhishek Arya.
+
+ Add a test for <ruby> and generated content causing asserts and
+ crashes.
+
+ * fast/css-generated-content/bug-106384-expected.txt: Added.
+ * fast/css-generated-content/bug-106384.html: Added.
+
2013-01-15 Zan Dobersek <zdober...@igalia.com>
Unreviewed GTK gardening.
Added: trunk/LayoutTests/fast/css-generated-content/bug-106384-expected.txt (0 => 139788)
--- trunk/LayoutTests/fast/css-generated-content/bug-106384-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/css-generated-content/bug-106384-expected.txt 2013-01-15 22:14:29 UTC (rev 139788)
@@ -0,0 +1,3 @@
+Bug 106384: Heap-use-after-free in WebCore::RenderObject::willBeRemovedFromTree.
+
+Passed if this test did not crash or assert.
Added: trunk/LayoutTests/fast/css-generated-content/bug-106384.html (0 => 139788)
--- trunk/LayoutTests/fast/css-generated-content/bug-106384.html (rev 0)
+++ trunk/LayoutTests/fast/css-generated-content/bug-106384.html 2013-01-15 22:14:29 UTC (rev 139788)
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+
+<style>
+ruby:after {
+ display: block;
+ content: "";
+}
+</style>
+
+<p>
+ Bug 106384: Heap-use-after-free in WebCore::RenderObject::willBeRemovedFromTree.
+</p>
+
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+_onload_ = function() {
+ var ruby = document.createElement('ruby');
+ document.body.appendChild(ruby);
+ // Cause a layout.
+ document.body.offsetLeft;
+ ruby.appendChild(document.createTextNode('Passed if this test did not crash or assert.'));
+};
+</script>
Modified: trunk/Source/WebCore/ChangeLog (139787 => 139788)
--- trunk/Source/WebCore/ChangeLog 2013-01-15 22:04:29 UTC (rev 139787)
+++ trunk/Source/WebCore/ChangeLog 2013-01-15 22:14:29 UTC (rev 139788)
@@ -1,3 +1,22 @@
+2013-01-15 Elliott Sprehn <espr...@chromium.org>
+
+ Heap-use-after-free in WebCore::RenderObject::willBeRemovedFromTree
+ https://bugs.webkit.org/show_bug.cgi?id=106384
+
+ Reviewed by Abhishek Arya.
+
+ Always walk up from beforeChild until the parent() is the owner of the
+ child list, otherwise we can end up in situations where
+ newChild->parent() == owner but newChild->nextSibling()->parent() != owner
+ which is a recipe for security bugs. Previously we only walked up through
+ anonymous blocks, but missed anonymous inline blocks like those generated
+ by <ruby>.
+
+ Test: fast/css-generated-content/bug-106384.html
+
+ * rendering/RenderObjectChildList.cpp:
+ (WebCore::RenderObjectChildList::insertChildNode):
+
2013-01-15 Ojan Vafai <o...@chromium.org>
Remove bogus assert added in http://trac.webkit.org/changeset/139772.
Modified: trunk/Source/WebCore/rendering/RenderObjectChildList.cpp (139787 => 139788)
--- trunk/Source/WebCore/rendering/RenderObjectChildList.cpp 2013-01-15 22:04:29 UTC (rev 139787)
+++ trunk/Source/WebCore/rendering/RenderObjectChildList.cpp 2013-01-15 22:14:29 UTC (rev 139788)
@@ -153,10 +153,17 @@
}
ASSERT(!child->parent());
- while (beforeChild->parent() != owner && beforeChild->parent()->isAnonymousBlock())
+ while (beforeChild->parent() && beforeChild->parent() != owner)
beforeChild = beforeChild->parent();
- ASSERT(beforeChild->parent() == owner);
+ // This should never happen, but if it does prevent render tree corruption
+ // where child->parent() ends up being owner but child->nextSibling()->parent()
+ // is not owner.
+ if (beforeChild->parent() != owner) {
+ ASSERT_NOT_REACHED();
+ return;
+ }
+
ASSERT(!owner->isBlockFlow() || (!child->isTableSection() && !child->isTableRow() && !child->isTableCell()));
if (beforeChild == firstChild())
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes
