Changeset 116827 in webkit


Ignore:
Timestamp:
May 11, 2012 5:28:32 PM (12 years ago)
Author:
commit-queue@webkit.org
Message:

use after free in WebCore::RenderObject::document
https://bugs.webkit.org/show_bug.cgi?id=84891

Patch by David Barton <Dave Barton> on 2012-05-11
Reviewed by Julien Chaffraix.

Source/WebCore:

Change RenderMathMLFenced::addChild() to use the beforeChild parameter. When beforeChild
is 0, insert child renderers before the closing fence, which might not be the same as
this->lastChild(), e.g. possibly due to anonymous blocks or generated content.

Tests: mathml/presentation/mfenced-add-child1-expected.html

mathml/presentation/mfenced-add-child1.html
mathml/presentation/mfenced-add-child2-expected.html
mathml/presentation/mfenced-add-child2.html

  • rendering/mathml/RenderMathMLFenced.cpp:

(WebCore::RenderMathMLFenced::RenderMathMLFenced):
(WebCore::RenderMathMLFenced::makeFences):
(WebCore::RenderMathMLFenced::addChild):

  • rendering/mathml/RenderMathMLFenced.h:

(RenderMathMLFenced):

LayoutTests:

  • mathml/presentation/mfenced-add-child1-expected.html: Added.
  • mathml/presentation/mfenced-add-child1.html: Added.
  • mathml/presentation/mfenced-add-child2-expected.html: Added.
  • mathml/presentation/mfenced-add-child2.html: Added.
Location:
trunk
Files:
4 added
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r116821 r116827  
     12012-05-11  David Barton  <dbarton@mathscribe.com>
     2
     3        use after free in WebCore::RenderObject::document
     4        https://bugs.webkit.org/show_bug.cgi?id=84891
     5
     6        Reviewed by Julien Chaffraix.
     7
     8        * mathml/presentation/mfenced-add-child1-expected.html: Added.
     9        * mathml/presentation/mfenced-add-child1.html: Added.
     10        * mathml/presentation/mfenced-add-child2-expected.html: Added.
     11        * mathml/presentation/mfenced-add-child2.html: Added.
     12
    1132012-05-10  Timothy Hatcher  <timothy@apple.com>
    214
  • trunk/Source/WebCore/ChangeLog

    r116824 r116827  
     12012-05-11  David Barton  <dbarton@mathscribe.com>
     2
     3        use after free in WebCore::RenderObject::document
     4        https://bugs.webkit.org/show_bug.cgi?id=84891
     5
     6        Reviewed by Julien Chaffraix.
     7
     8        Change RenderMathMLFenced::addChild() to use the beforeChild parameter. When beforeChild
     9        is 0, insert child renderers before the closing fence, which might not be the same as
     10        this->lastChild(), e.g. possibly due to anonymous blocks or generated content.
     11
     12        Tests: mathml/presentation/mfenced-add-child1-expected.html
     13               mathml/presentation/mfenced-add-child1.html
     14               mathml/presentation/mfenced-add-child2-expected.html
     15               mathml/presentation/mfenced-add-child2.html
     16
     17        * rendering/mathml/RenderMathMLFenced.cpp:
     18        (WebCore::RenderMathMLFenced::RenderMathMLFenced):
     19        (WebCore::RenderMathMLFenced::makeFences):
     20        (WebCore::RenderMathMLFenced::addChild):
     21        * rendering/mathml/RenderMathMLFenced.h:
     22        (RenderMathMLFenced):
     23
    1242012-05-11  Anders Carlsson  <andersca@apple.com>
    225
  • trunk/Source/WebCore/rendering/mathml/RenderMathMLFenced.cpp

    r111083 r116827  
    4949    , m_open(OpeningBraceChar)
    5050    , m_close(ClosingBraceChar)
     51    , m_closeFenceRenderer(0)
    5152{
    5253}
     
    9596    openFence->setStyle(createOperatorStyle());
    9697    RenderBlock::addChild(openFence, firstChild());
    97     RenderObject* closeFence = new (renderArena()) RenderMathMLOperator(node(), m_close);
    98     closeFence->setStyle(createOperatorStyle());
    99     RenderBlock::addChild(closeFence);
     98    m_closeFenceRenderer = new (renderArena()) RenderMathMLOperator(node(), m_close);
     99    m_closeFenceRenderer->setStyle(createOperatorStyle());
     100    RenderBlock::addChild(m_closeFenceRenderer);
    100101}
    101102
    102 void RenderMathMLFenced::addChild(RenderObject* child, RenderObject*)
     103void RenderMathMLFenced::addChild(RenderObject* child, RenderObject* beforeChild)
    103104{
    104105    // make the fences if the render object is empty
     
    106107        updateFromElement();
    107108   
     109    // FIXME: Adding or removing a child should possibly cause all later separators to shift places if they're different,
     110    // as later child positions change by +1 or -1.
     111   
     112    RenderObject* separatorRenderer = 0;
    108113    if (m_separators.get()) {
    109114        unsigned int count = 0;
    110115        for (Node* position = child->node(); position; position = position->previousSibling()) {
    111             if (position->nodeType() == Node::ELEMENT_NODE)
     116            if (position->isElementNode())
    112117                count++;
    113118        }
    114                
    115         if (count > 1) {
     119        if (!beforeChild) {
     120            // We're adding at the end (before the closing fence), so a new separator would go before the new child, not after it.
     121            --count;
     122        }
     123        // |count| is now the number of element children that will be before our new separator, i.e. it's the 1-based index of the separator.
     124       
     125        if (count > 0) {
    116126            UChar separator;
    117127           
    118128            // Use the last separator if we've run out of specified separators.
    119             if ((count - 1) >= m_separators.get()->length())
     129            if (count > m_separators.get()->length())
    120130                separator = (*m_separators.get())[m_separators.get()->length() - 1];
    121131            else
    122                 separator = (*m_separators.get())[count - 2];
     132                separator = (*m_separators.get())[count - 1];
    123133               
    124             RenderObject* separatorObj = new (renderArena()) RenderMathMLOperator(node(), separator);
    125             separatorObj->setStyle(createOperatorStyle());
    126             RenderBlock::addChild(separatorObj, lastChild());
     134            separatorRenderer = new (renderArena()) RenderMathMLOperator(node(), separator);
     135            separatorRenderer->setStyle(createOperatorStyle());
    127136        }
    128137    }
     
    131140    if (child->isBlockFlow() && child->style()->display() != INLINE_BLOCK) {
    132141        // Block objects wrapper.
    133 
    134142        RenderBlock* block = createAlmostAnonymousBlock(INLINE_BLOCK);
    135143       
    136         RenderBlock::addChild(block, lastChild());
    137         block->addChild(child);   
    138     } else
    139         RenderBlock::addChild(child, lastChild());
     144        block->addChild(child);
     145        child = block;
     146    }
     147   
     148    if (beforeChild) {
     149        // Adding |x| before an existing |y| e.g. in element (y) - first insert our new child |x|, then its separator, to get (x, y).
     150        RenderBlock::addChild(child, beforeChild);
     151        if (separatorRenderer)
     152            RenderBlock::addChild(separatorRenderer, beforeChild);
     153    } else {
     154        // Adding |y| at the end of an existing element e.g. (x) - insert the separator first before the closing fence, then |y|, to get (x, y).
     155        if (separatorRenderer)
     156            RenderBlock::addChild(separatorRenderer, m_closeFenceRenderer);
     157        RenderBlock::addChild(child, m_closeFenceRenderer);
     158    }
    140159}
    141160
  • trunk/Source/WebCore/rendering/mathml/RenderMathMLFenced.h

    r107473 r116827  
    4848    UChar m_close;
    4949    RefPtr<StringImpl> m_separators;
     50   
     51    RenderObject* m_closeFenceRenderer;
    5052};
    5153   
Note: See TracChangeset for help on using the changeset viewer.