Changeset 116827 in webkit
- Timestamp:
- May 11, 2012 5:28:32 PM (12 years ago)
- Location:
- trunk
- Files:
-
- 4 added
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r116821 r116827 1 2012-05-11 David Barton <dbarton@mathscribe.com> 2 3 use after free in WebCore::RenderObject::document 4 https://bugs.webkit.org/show_bug.cgi?id=84891 5 6 Reviewed by Julien Chaffraix. 7 8 * mathml/presentation/mfenced-add-child1-expected.html: Added. 9 * mathml/presentation/mfenced-add-child1.html: Added. 10 * mathml/presentation/mfenced-add-child2-expected.html: Added. 11 * mathml/presentation/mfenced-add-child2.html: Added. 12 1 13 2012-05-10 Timothy Hatcher <timothy@apple.com> 2 14 -
trunk/Source/WebCore/ChangeLog
r116824 r116827 1 2012-05-11 David Barton <dbarton@mathscribe.com> 2 3 use after free in WebCore::RenderObject::document 4 https://bugs.webkit.org/show_bug.cgi?id=84891 5 6 Reviewed by Julien Chaffraix. 7 8 Change RenderMathMLFenced::addChild() to use the beforeChild parameter. When beforeChild 9 is 0, insert child renderers before the closing fence, which might not be the same as 10 this->lastChild(), e.g. possibly due to anonymous blocks or generated content. 11 12 Tests: mathml/presentation/mfenced-add-child1-expected.html 13 mathml/presentation/mfenced-add-child1.html 14 mathml/presentation/mfenced-add-child2-expected.html 15 mathml/presentation/mfenced-add-child2.html 16 17 * rendering/mathml/RenderMathMLFenced.cpp: 18 (WebCore::RenderMathMLFenced::RenderMathMLFenced): 19 (WebCore::RenderMathMLFenced::makeFences): 20 (WebCore::RenderMathMLFenced::addChild): 21 * rendering/mathml/RenderMathMLFenced.h: 22 (RenderMathMLFenced): 23 1 24 2012-05-11 Anders Carlsson <andersca@apple.com> 2 25 -
trunk/Source/WebCore/rendering/mathml/RenderMathMLFenced.cpp
r111083 r116827 49 49 , m_open(OpeningBraceChar) 50 50 , m_close(ClosingBraceChar) 51 , m_closeFenceRenderer(0) 51 52 { 52 53 } … … 95 96 openFence->setStyle(createOperatorStyle()); 96 97 RenderBlock::addChild(openFence, firstChild()); 97 RenderObject* closeFence= new (renderArena()) RenderMathMLOperator(node(), m_close);98 closeFence->setStyle(createOperatorStyle());99 RenderBlock::addChild( closeFence);98 m_closeFenceRenderer = new (renderArena()) RenderMathMLOperator(node(), m_close); 99 m_closeFenceRenderer->setStyle(createOperatorStyle()); 100 RenderBlock::addChild(m_closeFenceRenderer); 100 101 } 101 102 102 void RenderMathMLFenced::addChild(RenderObject* child, RenderObject* )103 void RenderMathMLFenced::addChild(RenderObject* child, RenderObject* beforeChild) 103 104 { 104 105 // make the fences if the render object is empty … … 106 107 updateFromElement(); 107 108 109 // FIXME: Adding or removing a child should possibly cause all later separators to shift places if they're different, 110 // as later child positions change by +1 or -1. 111 112 RenderObject* separatorRenderer = 0; 108 113 if (m_separators.get()) { 109 114 unsigned int count = 0; 110 115 for (Node* position = child->node(); position; position = position->previousSibling()) { 111 if (position-> nodeType() == Node::ELEMENT_NODE)116 if (position->isElementNode()) 112 117 count++; 113 118 } 114 115 if (count > 1) { 119 if (!beforeChild) { 120 // We're adding at the end (before the closing fence), so a new separator would go before the new child, not after it. 121 --count; 122 } 123 // |count| is now the number of element children that will be before our new separator, i.e. it's the 1-based index of the separator. 124 125 if (count > 0) { 116 126 UChar separator; 117 127 118 128 // Use the last separator if we've run out of specified separators. 119 if ( (count - 1) >=m_separators.get()->length())129 if (count > m_separators.get()->length()) 120 130 separator = (*m_separators.get())[m_separators.get()->length() - 1]; 121 131 else 122 separator = (*m_separators.get())[count - 2];132 separator = (*m_separators.get())[count - 1]; 123 133 124 RenderObject* separatorObj = new (renderArena()) RenderMathMLOperator(node(), separator); 125 separatorObj->setStyle(createOperatorStyle()); 126 RenderBlock::addChild(separatorObj, lastChild()); 134 separatorRenderer = new (renderArena()) RenderMathMLOperator(node(), separator); 135 separatorRenderer->setStyle(createOperatorStyle()); 127 136 } 128 137 } … … 131 140 if (child->isBlockFlow() && child->style()->display() != INLINE_BLOCK) { 132 141 // Block objects wrapper. 133 134 142 RenderBlock* block = createAlmostAnonymousBlock(INLINE_BLOCK); 135 143 136 RenderBlock::addChild(block, lastChild()); 137 block->addChild(child); 138 } else 139 RenderBlock::addChild(child, lastChild()); 144 block->addChild(child); 145 child = block; 146 } 147 148 if (beforeChild) { 149 // Adding |x| before an existing |y| e.g. in element (y) - first insert our new child |x|, then its separator, to get (x, y). 150 RenderBlock::addChild(child, beforeChild); 151 if (separatorRenderer) 152 RenderBlock::addChild(separatorRenderer, beforeChild); 153 } else { 154 // Adding |y| at the end of an existing element e.g. (x) - insert the separator first before the closing fence, then |y|, to get (x, y). 155 if (separatorRenderer) 156 RenderBlock::addChild(separatorRenderer, m_closeFenceRenderer); 157 RenderBlock::addChild(child, m_closeFenceRenderer); 158 } 140 159 } 141 160 -
trunk/Source/WebCore/rendering/mathml/RenderMathMLFenced.h
r107473 r116827 48 48 UChar m_close; 49 49 RefPtr<StringImpl> m_separators; 50 51 RenderObject* m_closeFenceRenderer; 50 52 }; 51 53
Note: See TracChangeset
for help on using the changeset viewer.