Bad cast in RenderBox::computeReplacedLogicalHeightUsing
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 14 Aug 2012 00:11:35 +0000 (00:11 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 14 Aug 2012 00:11:35 +0000 (00:11 +0000)
https://bugs.webkit.org/show_bug.cgi?id=93875

Patch by Pravin D <pravind.2k4@gmail.com> on 2012-08-13
Reviewed by Abhishek Arya.

Source/WebCore:

Pointer to the container of a replaced element was being type casted to renderbox
without checking if the container is a renderbox or not.

Test: fast/replaced/render-inline-cast-to-render-box-crash.html

* rendering/RenderBox.cpp:
(WebCore::RenderBox::computeReplacedLogicalHeightUsing):
 Scrollbar height is retrieved only if the container is a renderBox. Otherwise scrollbar is taken as zero.

LayoutTests:

* fast/replaced/render-inline-cast-to-render-box-crash-expected.txt: Added.
* fast/replaced/render-inline-cast-to-render-box-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@125472 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/replaced/render-inline-cast-to-render-box-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/replaced/render-inline-cast-to-render-box-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderBox.cpp

index 84a6162..fe187dd 100644 (file)
@@ -1,3 +1,13 @@
+2012-08-13  Pravin D  <pravind.2k4@gmail.com>
+
+        Bad cast in RenderBox::computeReplacedLogicalHeightUsing
+        https://bugs.webkit.org/show_bug.cgi?id=93875
+
+        Reviewed by Abhishek Arya.
+
+        * fast/replaced/render-inline-cast-to-render-box-crash-expected.txt: Added.
+        * fast/replaced/render-inline-cast-to-render-box-crash.html: Added.
+
 2012-08-13  Dean Jackson  <dino@apple.com>
 
         REGRESSION (r125450): 4 canvas/philip/tests tests failing on Apple Lion Release WK1 (Tests)
diff --git a/LayoutTests/fast/replaced/render-inline-cast-to-render-box-crash-expected.txt b/LayoutTests/fast/replaced/render-inline-cast-to-render-box-crash-expected.txt
new file mode 100644 (file)
index 0000000..3d50174
--- /dev/null
@@ -0,0 +1 @@
+ PASS. WebKit didn't crash.
diff --git a/LayoutTests/fast/replaced/render-inline-cast-to-render-box-crash.html b/LayoutTests/fast/replaced/render-inline-cast-to-render-box-crash.html
new file mode 100644 (file)
index 0000000..03a4e67
--- /dev/null
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<style>
+span {
+    position: relative;
+    height:100px;
+}
+img {
+    position: absolute;
+    height: 50%;
+}
+</style>
+<body>
+<span>
+ <img />
+</span>
+PASS. WebKit didn't crash.
+</body>
+</html>
index b8e34ec..674a830 100644 (file)
@@ -1,3 +1,19 @@
+2012-08-13  Pravin D  <pravind.2k4@gmail.com>
+
+        Bad cast in RenderBox::computeReplacedLogicalHeightUsing
+        https://bugs.webkit.org/show_bug.cgi?id=93875
+
+        Reviewed by Abhishek Arya.
+
+        Pointer to the container of a replaced element was being type casted to renderbox
+        without checking if the container is a renderbox or not.
+
+        Test: fast/replaced/render-inline-cast-to-render-box-crash.html
+
+        * rendering/RenderBox.cpp:
+        (WebCore::RenderBox::computeReplacedLogicalHeightUsing):
+         Scrollbar height is retrieved only if the container is a renderBox. Otherwise scrollbar is taken as zero.
+
 2012-08-13  James Robinson  <jamesr@chromium.org>
 
         [chromium] Make WebAnimation a pure virtual interface to hide implementation and avoid unresolved symbols
index faf9102..e02a47d 100644 (file)
@@ -2270,7 +2270,7 @@ LayoutUnit RenderBox::computeReplacedLogicalHeightUsing(SizeType sizeType, Lengt
                 }
             }
             availableHeight = computeContentBoxLogicalHeight(valueForLength(logicalHeight, availableHeight));
-            if (cb->style()->logicalHeight().isFixed())
+            if (cb->isBox() && cb->style()->logicalHeight().isFixed())
                 availableHeight = max<LayoutUnit>(0, availableHeight - toRenderBox(cb)->scrollbarLogicalHeight());
             return availableHeight;
         }