Bad cast with toRenderBox in WebCore::RenderView::repaintViewRectangle
authorreni@webkit.org <reni@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 18 Mar 2014 18:57:45 +0000 (18:57 +0000)
committerreni@webkit.org <reni@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 18 Mar 2014 18:57:45 +0000 (18:57 +0000)
commit87991bc27e6ee39a49827ed9fbaa476ce8325c10
tree7a641a43af0f0c77fe14840e942c743f1603353d
parent1789e8b969830ab77b74acfae216b7e170295f7e
Bad cast with toRenderBox in WebCore::RenderView::repaintViewRectangle
https://bugs.webkit.org/show_bug.cgi?id=129104

Reviewed by Simon Fraser.

Source/WebCore:

We should not cast the renderer of a RenderView's owner to RenderBox
unless we are sure it is one.

Test: plugins/crash-invalid-data-reference.html

* rendering/RenderView.cpp:
(WebCore::RenderView::repaintViewRectangle):

LayoutTests:

* plugins/crash-invalid-data-reference-expected.txt: Added.
* plugins/crash-invalid-data-reference.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@165826 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/plugins/crash-invalid-data-reference-expected.txt [new file with mode: 0644]
LayoutTests/plugins/crash-invalid-data-reference.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderView.cpp