Fix crash when encountering illegal HTML within a continuation inside <ruby>.
authorrolandsteiner@chromium.org <rolandsteiner@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 16 Dec 2009 02:02:12 +0000 (02:02 +0000)
committerrolandsteiner@chromium.org <rolandsteiner@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 16 Dec 2009 02:02:12 +0000 (02:02 +0000)
(https://bugs.webkit.org/show_bug.cgi?id=32316)

Reviewed by Adam Barth.

Avoid having the anonymous blocks utilized in the ruby renderers being
re-used as continuation blocks.
Avoid having ruby runs collected as "leftover blocks".

Test: fast/ruby/ruby-illegal.html

WebCore:

* rendering/RenderRuby.h:
(WebCore::RenderRubyAsInline::removeLeftoverAnonymousBlock): mustn't be called
(WebCore::RenderRubyAsInline::isRuby): made private
(WebCore::RenderRubyAsInline::renderName): made private
(WebCore::RenderRubyAsInline::createsAnonymousWrapper): return true
(WebCore::RenderRubyAsBlock::removeLeftoverAnonymousBlock): mustn't be called
(WebCore::RenderRubyAsBlock::isRuby): made private
(WebCore::RenderRubyAsBlock::renderName): made private
(WebCore::RenderRubyAsBlock::createsAnonymousWrapper): return true
* rendering/RenderRubyRun.h:
(WebCore::RenderRubyRun::removeLeftoverAnonymousBlock): avoid
(WebCore::RenderRubyRun::isRubyRun): made private
(WebCore::RenderRubyRun::renderName): made private
(WebCore::RenderRubyRun::createsAnonymousWrapper): return true

LayoutTests:

* fast/ruby/ruby-illegal-expected.txt: Added.
* fast/ruby/ruby-illegal.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@52184 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/ruby/ruby-illegal-expected.txt [new file with mode: 0644]
LayoutTests/fast/ruby/ruby-illegal.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/rendering/RenderRuby.h
WebCore/rendering/RenderRubyRun.h

index f7e0bf4..da82259 100644 (file)
@@ -1,3 +1,17 @@
+2009-12-13  Roland Steiner  <rolandsteiner@chromium.org>
+
+        Reviewed by Adam Barth.
+
+        Fix crash when encountering illegal HTML within a continuation inside <ruby>.
+        (https://bugs.webkit.org/show_bug.cgi?id=32316)
+
+        Avoid having the anonymous blocks utilized in the ruby renderers being
+        re-used as continuation blocks.
+        Avoid having ruby runs collected as "leftover blocks".
+
+        * fast/ruby/ruby-illegal-expected.txt: Added.
+        * fast/ruby/ruby-illegal.html: Added.
+
 2009-12-15  Dan Bernstein  <mitz@apple.com>
 
         Reviewed by Darin Adler.
diff --git a/LayoutTests/fast/ruby/ruby-illegal-expected.txt b/LayoutTests/fast/ruby/ruby-illegal-expected.txt
new file mode 100644 (file)
index 0000000..37f1c7b
--- /dev/null
@@ -0,0 +1,5 @@
+SUCCESS!
+
+\x0e
+\x0e
+
diff --git a/LayoutTests/fast/ruby/ruby-illegal.html b/LayoutTests/fast/ruby/ruby-illegal.html
new file mode 100644 (file)
index 0000000..0622514
--- /dev/null
@@ -0,0 +1,22 @@
+<html>
+<head>
+<script>
+function test()
+{
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+    document.getElementById("result").firstChild.data = 'SUCCESS!';
+}
+</script>
+</head>
+<body onload="test()">
+<div id="result">FAILED!</div>
+<!-- The following malformed (!) lines mustn't crash the renderer -->
+<div><blockQuote><ruby><i><noBR><form><input type=file></i></div>
+<div><ruby <table >\x0e</div>
+<div><ruby <table >\x0e<i</div>
+<div><samp><ruby <s<hr</samp></div>
+<div><samp><ruby <s<r<blockQuote</samp></div>
+<div><samp><ruby <s<hr<blockQuote</samp></div>
+</body>
+</html>
index 4788cc6..e6a2a4b 100644 (file)
@@ -1,3 +1,31 @@
+2009-12-13  Roland Steiner  <rolandsteiner@chromium.org>
+
+        Reviewed by Adam Barth.
+
+        Fix crash when encountering illegal HTML within a continuation inside <ruby>.
+        (https://bugs.webkit.org/show_bug.cgi?id=32316)
+
+        Avoid having the anonymous blocks utilized in the ruby renderers being
+        re-used as continuation blocks.
+        Avoid having ruby runs collected as "leftover blocks".
+
+        Test: fast/ruby/ruby-illegal.html
+
+        * rendering/RenderRuby.h:
+        (WebCore::RenderRubyAsInline::removeLeftoverAnonymousBlock): mustn't be called
+        (WebCore::RenderRubyAsInline::isRuby): made private
+        (WebCore::RenderRubyAsInline::renderName): made private
+        (WebCore::RenderRubyAsInline::createsAnonymousWrapper): return true
+        (WebCore::RenderRubyAsBlock::removeLeftoverAnonymousBlock): mustn't be called
+        (WebCore::RenderRubyAsBlock::isRuby): made private
+        (WebCore::RenderRubyAsBlock::renderName): made private
+        (WebCore::RenderRubyAsBlock::createsAnonymousWrapper): return true
+        * rendering/RenderRubyRun.h:
+        (WebCore::RenderRubyRun::removeLeftoverAnonymousBlock): avoid
+        (WebCore::RenderRubyRun::isRubyRun): made private
+        (WebCore::RenderRubyRun::renderName): made private
+        (WebCore::RenderRubyRun::createsAnonymousWrapper): return true
+
 2009-12-15  Nate Chapin  <japhet@chromium.org>
 
         Reviewed by Darin Adler.
index a74150c..49a84d8 100644 (file)
@@ -54,13 +54,15 @@ public:
     RenderRubyAsInline(Node*);
     virtual ~RenderRubyAsInline();
 
-    virtual const char* renderName() const { return "RenderRuby (inline)"; }
-
-    virtual bool isRuby() const { return true; }
-
     virtual bool isChildAllowed(RenderObject*, RenderStyle*) const;
     virtual void addChild(RenderObject* child, RenderObject* beforeChild = 0);
     virtual void removeChild(RenderObject* child);
+
+private:
+    virtual bool isRuby() const { return true; }
+    virtual const char* renderName() const { return "RenderRuby (inline)"; }
+    virtual bool createsAnonymousWrapper() const { return true; }
+    virtual void removeLeftoverAnonymousBlock(RenderBlock*) { ASSERT_NOT_REACHED(); }
 };
 
 // <ruby> when used as 'display:block' or 'display:inline-block'
@@ -69,13 +71,15 @@ public:
     RenderRubyAsBlock(Node*);
     virtual ~RenderRubyAsBlock();
 
-    virtual const char* renderName() const { return "RenderRuby (block)"; }
-
-    virtual bool isRuby() const { return true; }
-
     virtual bool isChildAllowed(RenderObject*, RenderStyle*) const;
     virtual void addChild(RenderObject* child, RenderObject* beforeChild = 0);
     virtual void removeChild(RenderObject* child);
+
+private:
+    virtual bool isRuby() const { return true; }
+    virtual const char* renderName() const { return "RenderRuby (block)"; }
+    virtual bool createsAnonymousWrapper() const { return true; }
+    virtual void removeLeftoverAnonymousBlock(RenderBlock*) { ASSERT_NOT_REACHED(); }
 };
 
 } // namespace WebCore
index 361dfe5..222ddb6 100644 (file)
@@ -48,10 +48,6 @@ public:
 
     virtual void destroy();
 
-    virtual const char* renderName() const { return "RenderRubyRun (anonymous)"; }
-
-    virtual bool isRubyRun() const { return true; }
-
     bool hasRubyText() const;
     bool hasRubyBase() const;
     bool isEmpty() const;
@@ -70,8 +66,13 @@ public:
 
 protected:
     RenderRubyBase* createRubyBase() const;
-    
+
 private:
+    virtual bool isRubyRun() const { return true; }
+    virtual const char* renderName() const { return "RenderRubyRun (anonymous)"; }
+    virtual bool createsAnonymousWrapper() const { return true; }
+    virtual void removeLeftoverAnonymousBlock(RenderBlock*) { }
+
     bool m_beingDestroyed;
 };