[webkit-changes] [140206] trunk

Fri, 18 Jan 2013 14:11:11 -0800

Title: [140206] trunk
Revision
140206
Author
infe...@chromium.org
Date
2013-01-18 14:12:53 -0800 (Fri, 18 Jan 2013)

Log Message

Heap-use-after-free in WebCore::RenderObject::isDescendantOf
https://bugs.webkit.org/show_bug.cgi?id=107226

Reviewed by David Hyatt.

Source/WebCore:

Test: fast/block/float/overhanging-float-not-removed-crash.html

* rendering/RenderBox.cpp:
(WebCore::RenderBox::removeFloatingOrPositionedChildFromBlockLists):
Skip anonymous blocks in the chain to get the enclosing block and
be able to correctly mark the overhanging floats in the next siblings.

LayoutTests:

* fast/block/float/overhanging-float-not-removed-crash-expected.txt: Added.
* fast/block/float/overhanging-float-not-removed-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (140205 => 140206)


--- trunk/LayoutTests/ChangeLog	2013-01-18 21:56:24 UTC (rev 140205)
+++ trunk/LayoutTests/ChangeLog	2013-01-18 22:12:53 UTC (rev 140206)
@@ -1,3 +1,13 @@
+2013-01-18  Abhishek Arya  <infe...@chromium.org>
+
+        Heap-use-after-free in WebCore::RenderObject::isDescendantOf
+        https://bugs.webkit.org/show_bug.cgi?id=107226
+
+        Reviewed by David Hyatt.
+
+        * fast/block/float/overhanging-float-not-removed-crash-expected.txt: Added.
+        * fast/block/float/overhanging-float-not-removed-crash.html: Added.
+
 2013-01-18  Chris Hopman  <cjhop...@google.com>
 
         Fix scrollRectToVisible in the presence of transforms

Added: trunk/LayoutTests/fast/block/float/overhanging-float-not-removed-crash-expected.txt (0 => 140206)


--- trunk/LayoutTests/fast/block/float/overhanging-float-not-removed-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/block/float/overhanging-float-not-removed-crash-expected.txt	2013-01-18 22:12:53 UTC (rev 140206)
@@ -0,0 +1,2 @@
+Bug 107226. Heap-use-after-free in WebCore::RenderObject::isDescendantOf.
+PASS. WebKit didn't crash

Added: trunk/LayoutTests/fast/block/float/overhanging-float-not-removed-crash.html (0 => 140206)


--- trunk/LayoutTests/fast/block/float/overhanging-float-not-removed-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/block/float/overhanging-float-not-removed-crash.html	2013-01-18 22:12:53 UTC (rev 140206)
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+<noembed id=test4></noembed>
+<h6 id=test3>
+<h3 id=test7></h3>
+<span id=tCF36>
+<math>
+<and>
+<equivalent>
+<csc id=test5 style="float: left; "> X6DDguzp|m_v c;</csc>
+<otherwise id=test1>
+</equivalent>
+</and>
+<cartesianproduct id=test2>#L    }|2pqynn</cartesianproduct>
+<factorial></factorial>
+<product id=test6>.
+</math>
+</span>
+</h6>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+document.documentElement.offsetTop;
+test1.appendChild(test2);
+test2.appendChild(test3);
+document.documentElement.offsetTop;
+test4.appendChild(test5);
+test6.appendChild(test7);
+document.documentElement.offsetTop;
+document.documentElement.innerHTML = "Bug 107226. Heap-use-after-free in WebCore::RenderObject::isDescendantOf.<br />PASS. WebKit didn't crash";
+</script>
+</html>
Property changes on: trunk/LayoutTests/fast/block/float/overhanging-float-not-removed-crash.html
___________________________________________________________________

Added: svn:executable

Modified: trunk/Source/WebCore/ChangeLog (140205 => 140206)


--- trunk/Source/WebCore/ChangeLog	2013-01-18 21:56:24 UTC (rev 140205)
+++ trunk/Source/WebCore/ChangeLog	2013-01-18 22:12:53 UTC (rev 140206)
@@ -1,3 +1,17 @@
+2013-01-18  Abhishek Arya  <infe...@chromium.org>
+
+        Heap-use-after-free in WebCore::RenderObject::isDescendantOf
+        https://bugs.webkit.org/show_bug.cgi?id=107226
+
+        Reviewed by David Hyatt.
+
+        Test: fast/block/float/overhanging-float-not-removed-crash.html
+
+        * rendering/RenderBox.cpp:
+        (WebCore::RenderBox::removeFloatingOrPositionedChildFromBlockLists):
+        Skip anonymous blocks in the chain to get the enclosing block and
+        be able to correctly mark the overhanging floats in the next siblings.
+
 2013-01-18  Chris Hopman  <cjhop...@google.com>
 
         Fix scrollRectToVisible in the presence of transforms

Modified: trunk/Source/WebCore/rendering/RenderBox.cpp (140205 => 140206)


--- trunk/Source/WebCore/rendering/RenderBox.cpp	2013-01-18 21:56:24 UTC (rev 140205)
+++ trunk/Source/WebCore/rendering/RenderBox.cpp	2013-01-18 22:12:53 UTC (rev 140206)
@@ -179,6 +179,12 @@
         }
 
         if (parentBlock) {
+            // Need to skip anonymous blocks in our ancestor chain since our overhanging floats
+            // can be in the next siblings of enclosing block.
+            while (parentBlock && parentBlock->isAnonymousBlock())
+                parentBlock = parentBlock->containingBlock();
+            ASSERT(parentBlock);
+
             RenderObject* parent = parentBlock->parent();
             if (parent && parent->isFlexibleBoxIncludingDeprecated())
                 parentBlock = toRenderBlock(parent);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to