Context Navigation

← Previous Changeset
Next Changeset →

Changeset 140206 in webkit

Timestamp:

Jan 18, 2013 2:12:53 PM (11 years ago)

Author:

inferno@chromium.org

Message:

Heap-use-after-free in WebCore::RenderObject::isDescendantOf
https://bugs.webkit.org/show_bug.cgi?id=107226

Reviewed by David Hyatt.

Source/WebCore:

Test: fast/block/float/overhanging-float-not-removed-crash.html

rendering/RenderBox.cpp:

(WebCore::RenderBox::removeFloatingOrPositionedChildFromBlockLists):
Skip anonymous blocks in the chain to get the enclosing block and
be able to correctly mark the overhanging floats in the next siblings.

LayoutTests:

fast/block/float/overhanging-float-not-removed-crash-expected.txt: Added.
fast/block/float/overhanging-float-not-removed-crash.html: Added.

Location:

trunk

Files:

: 2 added
: 3 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/fast/block/float/overhanging-float-not-removed-crash-expected.txt (added)
LayoutTests/fast/block/float/overhanging-float-not-removed-crash.html (added)
Source/WebCore/ChangeLog (modified) (1 diff)
Source/WebCore/rendering/RenderBox.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r140202
+                      r140206
+-01-18  Abhishek Arya  <inferno@chromium.org>
+        Heap-use-after-free in WebCore::RenderObject::isDescendantOf
+        https://bugs.webkit.org/show_bug.cgi?id=107226
+        Reviewed by David Hyatt.
+        * fast/block/float/overhanging-float-not-removed-crash-expected.txt: Added.
+        * fast/block/float/overhanging-float-not-removed-crash.html: Added.
 -01-18  Chris Hopman  <cjhopman@google.com>

trunk/Source/WebCore/ChangeLog

-                      r140202
+                      r140206
+-01-18  Abhishek Arya  <inferno@chromium.org>
+        Heap-use-after-free in WebCore::RenderObject::isDescendantOf
+        https://bugs.webkit.org/show_bug.cgi?id=107226
+        Reviewed by David Hyatt.
+        Test: fast/block/float/overhanging-float-not-removed-crash.html
+        * rendering/RenderBox.cpp:
+        (WebCore::RenderBox::removeFloatingOrPositionedChildFromBlockLists):
+        Skip anonymous blocks in the chain to get the enclosing block and
+        be able to correctly mark the overhanging floats in the next siblings.
 -01-18  Chris Hopman  <cjhopman@google.com>

trunk/Source/WebCore/rendering/RenderBox.cpp

-                      r140068
+                      r140206
         if (parentBlock) {
+            // Need to skip anonymous blocks in our ancestor chain since our overhanging floats
+            // can be in the next siblings of enclosing block.
+            while (parentBlock && parentBlock->isAnonymousBlock())
+                parentBlock = parentBlock->containingBlock();
+            ASSERT(parentBlock);
             RenderObject* parent = parentBlock->parent();
             if (parent && parent->isFlexibleBoxIncludingDeprecated())

Note: See TracChangeset for help on using the changeset viewer.