Context Navigation

← Previous Changeset
Next Changeset →

Changeset 26941 in webkit

Timestamp:

Oct 23, 2007 6:51:04 PM (17 years ago)

Author:

mitz

Message:

Reviewed by Eric Seidel.

fix http://bugs.webkit.org/show_bug.cgi?id=15405 ASSERTION FAILED: d->m_view && !d->m_view->needsLayout() in Frame::Paint

Calling updateWidget() during attach() led to arbitrary (plugin and resource load delegate)
code execution under attach(). The fix is to use the mechanism that's already in place for
deferring updateWidget() until after layout.

html/HTMLEmbedElement.cpp: (WebCore::HTMLEmbedElement::attach): Replaced call to updateWidget() with call to updateWidgetSoon()
html/HTMLObjectElement.cpp: (WebCore::HTMLObjectElement::attach): Ditto.
manual-tests/paint-during-plugin-attach.html: Added.
rendering/RenderPartObject.cpp: (WebCore::RenderPartObject::updateWidgetSoon): Added this function that schedules the updateWidget() call for after the next layout.
rendering/RenderPartObject.h:

Location:

trunk/WebCore

Files:

: 1 added
: 5 edited

ChangeLog (modified) (1 diff)
html/HTMLEmbedElement.cpp (modified) (1 diff)
html/HTMLObjectElement.cpp (modified) (1 diff)
manual-tests/paint-during-plugin-attach.html (added)
rendering/RenderPartObject.cpp (modified) (1 diff)
rendering/RenderPartObject.h (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/WebCore/ChangeLog

-                      r26937
+                      r26941
+-10-23  Dan Bernstein  <mitz@apple.com>
+        Reviewed by Eric Seidel.
+        - fix http://bugs.webkit.org/show_bug.cgi?id=15405
+          ASSERTION FAILED: d->m_view && !d->m_view->needsLayout() in Frame::Paint
+        Calling updateWidget() during attach() led to arbitrary (plugin and resource load delegate)
+        code execution under attach(). The fix is to use the mechanism that's already in place for
+        deferring updateWidget() until after layout.
+        * html/HTMLEmbedElement.cpp:
+        (WebCore::HTMLEmbedElement::attach): Replaced call to updateWidget() with call to updateWidgetSoon()
+        * html/HTMLObjectElement.cpp:
+        (WebCore::HTMLObjectElement::attach): Ditto.
+        * manual-tests/paint-during-plugin-attach.html: Added.
+        * rendering/RenderPartObject.cpp:
+        (WebCore::RenderPartObject::updateWidgetSoon): Added this function that schedules the
+        updateWidget() call for after the next layout.
+        * rendering/RenderPartObject.h:
 -10-23  Adam Roben  <aroben@apple.com>

trunk/WebCore/html/HTMLEmbedElement.cpp

r25754	r26941
157	157
158	158	if (renderer())
159		static_cast<RenderPartObject*>(renderer())->updateWidget~~(true~~);
	159	static_cast<RenderPartObject*>(renderer())->updateWidgetSoon();
160	160	}
161	161

trunk/WebCore/html/HTMLObjectElement.cpp

r25754	r26941
187	187	// this method or recalcStyle (which also calls updateWidget) to be called.
188	188	m_needWidgetUpdate = false;
189		static_cast<RenderPartObject*>(renderer())->updateWidget~~(true~~);
	189	static_cast<RenderPartObject*>(renderer())->updateWidgetSoon();
190	190	} else {
191	191	m_needWidgetUpdate = true;

trunk/WebCore/rendering/RenderPartObject.cpp

r25754	r26941
281	281	}
282	282
	283	void RenderPartObject::updateWidgetSoon()
	284	{
	285	if (m_view)
	286	m_view->addWidgetToUpdate(this);
	287	}
	288
283	289	void RenderPartObject::viewCleared()
284	290	{

trunk/WebCore/rendering/RenderPartObject.h

r25754	r26941
39	39	virtual void layout();
40	40	void updateWidget(bool onlyCreateNonPlugins);
	41	void updateWidgetSoon();
41	42
42	43	virtual void viewCleared();

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 26941 in webkit

Legend:

trunk/WebCore/ChangeLog

trunk/WebCore/html/HTMLEmbedElement.cpp

trunk/WebCore/html/HTMLObjectElement.cpp

trunk/WebCore/rendering/RenderPartObject.cpp

trunk/WebCore/rendering/RenderPartObject.h

Download in other formats: