Commit 50d1bc7d authored by zoltan@webkit.org's avatar zoltan@webkit.org
Browse files

[regression] Security: Heap-use-after-free in WebCore::RenderBlock::logicalRightOffsetForLine

https://bugs.webkit.org/show_bug.cgi?id=111594

Patch by Bem Jones-Bey <bjonesbe@adobe.com> on 2013-04-05
Reviewed by David Hyatt.

Source/WebCore: 

Swapping the bases was causing any floats in the right base to be
lost, so change the code so that it no longer swaps the bases.

Test: fast/ruby/float-object-doesnt-crash.html

* rendering/RenderRubyRun.cpp:
(WebCore::RenderRubyRun::removeChild): Don't swap the bases anymore.

LayoutTests: 

Add test to verify that the use-after-free is fixed. Note that it will
only crash when run under a memory checking tool like ASAN.

* fast/ruby/float-object-doesnt-crash-expected.txt: Added.
* fast/ruby/float-object-doesnt-crash.html: Added.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@147765 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent d843f4bb
2013-04-05 Bem Jones-Bey <bjonesbe@adobe.com>
[regression] Security: Heap-use-after-free in WebCore::RenderBlock::logicalRightOffsetForLine
https://bugs.webkit.org/show_bug.cgi?id=111594
Reviewed by David Hyatt.
Add test to verify that the use-after-free is fixed. Note that it will
only crash when run under a memory checking tool like ASAN.
* fast/ruby/float-object-doesnt-crash-expected.txt: Added.
* fast/ruby/float-object-doesnt-crash.html: Added.
2013-04-05 Bear Travis <betravis@adobe.com>
 
[css exclusions] Dynamically removing shape-inside should cause relayout of child blocks' inline content
Test passes if it does not crash when run with memory checking for use-after-free.
|
>
<!DOCTYPE html>
<html>
<body>
Test passes if it does not crash when run with memory checking for use-after-free.
<summary><ruby>|<rt></rt>
<h1><object align="right" ></object>
><img border="947352079px"><ul style="padding:105392887px 0% inherit 0px; "></h1>
</ruby>
<keygen autofocus="Tm" ><object></object>
<script>
if (window.testRunner) {
testRunner.dumpAsText();
}
</script>
</body>
2013-04-05 Bem Jones-Bey <bjonesbe@adobe.com>
[regression] Security: Heap-use-after-free in WebCore::RenderBlock::logicalRightOffsetForLine
https://bugs.webkit.org/show_bug.cgi?id=111594
Reviewed by David Hyatt.
Swapping the bases was causing any floats in the right base to be
lost, so change the code so that it no longer swaps the bases.
Test: fast/ruby/float-object-doesnt-crash.html
* rendering/RenderRubyRun.cpp:
(WebCore::RenderRubyRun::removeChild): Don't swap the bases anymore.
2013-04-05 Anders Carlsson <andersca@apple.com>
 
Remove dead code
......@@ -166,13 +166,17 @@ void RenderRubyRun::removeChild(RenderObject* child)
// Ruby run without a base can happen only at the first run.
RenderRubyRun* rightRun = toRenderRubyRun(rightNeighbour);
if (rightRun->hasRubyBase()) {
RenderRubyBase* rightBase = rightRun->rubyBaseSafe();
// Collect all children in a single base, then swap the bases.
rightBase->moveChildren(base);
moveChildTo(rightRun, base);
rightRun->moveChildTo(this, rightBase);
RenderRubyBase* rightBase = rightRun->rubyBase();
if (!rightBase)
moveChildTo(rightRun, base);
else {
// We need to preserve child order, so we have to append the
// rightBase's children to base, and then put them back.
rightBase->moveChildren(base);
base->moveChildren(rightBase);
}
// The now empty ruby base will be removed below.
ASSERT(!rubyBase()->firstChild());
ASSERT(!rubyBase() || !rubyBase()->firstChild());
}
}
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment