Changeset 204722 in webkit


Ignore:
Timestamp:
Aug 22, 2016, 9:19:20 AM (9 years ago)
Author:
Carlos Garcia Campos
Message:

Merge r202177 - Potential null dereferencing on a detached positioned renderer.
https://bugs.webkit.org/show_bug.cgi?id=158879

Reviewed by Simon Fraser.

This patch fixes the case when the while loop to search for the absolute positioned ancestor
returns null (it happens when positioned renderer has been detached from the render tree).

Speculative fix.

  • rendering/RenderBlock.cpp:

(WebCore::RenderBlock::markFixedPositionObjectForLayoutIfNeeded):

  • rendering/RenderBlock.h:
Location:
releases/WebKitGTK/webkit-2.12/Source/WebCore
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog

    r204719 r204722  
     12016-06-17  Zalan Bujtas  <zalan@apple.com>
     2
     3        Potential null dereferencing on a detached positioned renderer.
     4        https://bugs.webkit.org/show_bug.cgi?id=158879
     5
     6        Reviewed by Simon Fraser.
     7
     8        This patch fixes the case when the while loop to search for the absolute positioned ancestor
     9        returns null (it happens when positioned renderer has been detached from the render tree).
     10
     11        Speculative fix.
     12
     13        * rendering/RenderBlock.cpp:
     14        (WebCore::RenderBlock::markFixedPositionObjectForLayoutIfNeeded):
     15        * rendering/RenderBlock.h:
     16
    1172016-06-27  Philippe Normand  <philn@igalia.com>
    218

  • releases/WebKitGTK/webkit-2.12/Source/WebCore/rendering/RenderBlock.cpp

    r201271 r204722  
    12651265}
    12661266
    1267 void RenderBlock::markFixedPositionObjectForLayoutIfNeeded(RenderObject& child)
    1268 {
    1269     if (child.style().position() != FixedPosition)
    1270         return;
    1271 
    1272     bool hasStaticBlockPosition = child.style().hasStaticBlockPosition(isHorizontalWritingMode());
    1273     bool hasStaticInlinePosition = child.style().hasStaticInlinePosition(isHorizontalWritingMode());
     1267void RenderBlock::markFixedPositionObjectForLayoutIfNeeded(RenderBox& positionedChild)
     1268{
     1269    if (positionedChild.style().position() != FixedPosition)
     1270        return;
     1271
     1272    bool hasStaticBlockPosition = positionedChild.style().hasStaticBlockPosition(isHorizontalWritingMode());
     1273    bool hasStaticInlinePosition = positionedChild.style().hasStaticInlinePosition(isHorizontalWritingMode());
    12741274    if (!hasStaticBlockPosition && !hasStaticInlinePosition)
    12751275        return;
    12761276
    1277     auto o = child.parent();
    1278     while (o && !is<RenderView>(*o) && o->style().position() != AbsolutePosition)
    1279         o = o->parent();
    1280     if (o->style().position() != AbsolutePosition)
    1281         return;
    1282 
    1283     auto& box = downcast<RenderBox>(child);
     1277    auto* parent = positionedChild.parent();
     1278    while (parent && !is<RenderView>(*parent) && parent->style().position() != AbsolutePosition)
     1279        parent = parent->parent();
     1280    if (!parent || parent->style().position() != AbsolutePosition)
     1281        return;
     1282
    12841283    if (hasStaticInlinePosition) {
    12851284        LogicalExtentComputedValues computedValues;
    1286         box.computeLogicalWidthInRegion(computedValues);
     1285        positionedChild.computeLogicalWidthInRegion(computedValues);
    12871286        LayoutUnit newLeft = computedValues.m_position;
    1288         if (newLeft != box.logicalLeft())
    1289             box.setChildNeedsLayout(MarkOnlyThis);
     1287        if (newLeft != positionedChild.logicalLeft())
     1288            positionedChild.setChildNeedsLayout(MarkOnlyThis);
    12901289    } else if (hasStaticBlockPosition) {
    1291         LayoutUnit oldTop = box.logicalTop();
    1292         box.updateLogicalHeight();
    1293         if (box.logicalTop() != oldTop)
    1294             box.setChildNeedsLayout(MarkOnlyThis);
     1290        LayoutUnit oldTop = positionedChild.logicalTop();
     1291        positionedChild.updateLogicalHeight();
     1292        if (positionedChild.logicalTop() != oldTop)
     1293            positionedChild.setChildNeedsLayout(MarkOnlyThis);
    12951294    }
    12961295}

  • releases/WebKitGTK/webkit-2.12/Source/WebCore/rendering/RenderBlock.h

    r201271 r204722  
    317317    virtual void layoutPositionedObject(RenderBox&, bool relayoutChildren, bool fixedPositionObjectsOnly);
    318318   
    319     void markFixedPositionObjectForLayoutIfNeeded(RenderObject& child);
     319    void markFixedPositionObjectForLayoutIfNeeded(RenderBox& child);
    320320
    321321    LayoutUnit marginIntrinsicLogicalWidthForChild(RenderBox&) const;
Note: See TracChangeset for help on using the changeset viewer.