Bad cast with toRenderBox in WebCore::RenderView::repaintViewRectangle
authorreni@webkit.org <reni@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 18 Mar 2014 18:57:45 +0000 (18:57 +0000)
committerreni@webkit.org <reni@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 18 Mar 2014 18:57:45 +0000 (18:57 +0000)
https://bugs.webkit.org/show_bug.cgi?id=129104

Reviewed by Simon Fraser.

Source/WebCore:

We should not cast the renderer of a RenderView's owner to RenderBox
unless we are sure it is one.

Test: plugins/crash-invalid-data-reference.html

* rendering/RenderView.cpp:
(WebCore::RenderView::repaintViewRectangle):

LayoutTests:

* plugins/crash-invalid-data-reference-expected.txt: Added.
* plugins/crash-invalid-data-reference.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@165826 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/plugins/crash-invalid-data-reference-expected.txt [new file with mode: 0644]
LayoutTests/plugins/crash-invalid-data-reference.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderView.cpp

index 6c18b7c..b923efc 100644 (file)
@@ -1,3 +1,13 @@
+2014-03-18  Renata Hodovan  <rhodovan.u-szeged@partner.samsung.com>
+
+        Bad cast with toRenderBox in WebCore::RenderView::repaintViewRectangle
+        https://bugs.webkit.org/show_bug.cgi?id=129104
+
+        Reviewed by Simon Fraser.
+
+        * plugins/crash-invalid-data-reference-expected.txt: Added.
+        * plugins/crash-invalid-data-reference.html: Added.
+
 2014-03-18  Antti Koivisto  <antti@apple.com>
 
         Mutating rules returned by getMatchedCSSRules can result in crash
diff --git a/LayoutTests/plugins/crash-invalid-data-reference-expected.txt b/LayoutTests/plugins/crash-invalid-data-reference-expected.txt
new file mode 100644 (file)
index 0000000..1436910
--- /dev/null
@@ -0,0 +1 @@
+This test passes if it doesn't crash in debug. (Bug #129104)
diff --git a/LayoutTests/plugins/crash-invalid-data-reference.html b/LayoutTests/plugins/crash-invalid-data-reference.html
new file mode 100644 (file)
index 0000000..7f0314f
--- /dev/null
@@ -0,0 +1,14 @@
+<html>
+<head>
+<script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+</script>
+</head>
+<body>
+       <object data="file://var/www/foo"></object>
+       <div>
+       This test passes if it doesn't crash in debug. (Bug #129104)
+       </div>
+</body>
+</html>
\ No newline at end of file
index 1c7ad45..04165dd 100644 (file)
@@ -1,3 +1,18 @@
+2014-03-18  Renata Hodovan  <rhodovan.u-szeged@partner.samsung.com>
+
+        Bad cast with toRenderBox in WebCore::RenderView::repaintViewRectangle
+        https://bugs.webkit.org/show_bug.cgi?id=129104
+
+        Reviewed by Simon Fraser.
+
+        We should not cast the renderer of a RenderView's owner to RenderBox
+        unless we are sure it is one.
+
+        Test: plugins/crash-invalid-data-reference.html
+
+        * rendering/RenderView.cpp:
+        (WebCore::RenderView::repaintViewRectangle):
+
 2014-03-18  Andreas Kling  <akling@apple.com>
 
         Micro-optimize element descendant iterator.
index 83b590f..5ce94cc 100644 (file)
@@ -545,9 +545,9 @@ void RenderView::repaintViewRectangle(const LayoutRect& repaintRect) const
         return;
 
     if (auto ownerElement = document().ownerElement()) {
-        if (!ownerElement->renderer())
+        RenderBox* ownerBox = ownerElement->renderBox();
+        if (!ownerBox)
             return;
-        auto& ownerBox = toRenderBox(*ownerElement->renderer());
         LayoutRect viewRect = this->viewRect();
 #if PLATFORM(IOS)
         // Don't clip using the visible rect since clipping is handled at a higher level on iPhone.
@@ -556,8 +556,8 @@ void RenderView::repaintViewRectangle(const LayoutRect& repaintRect) const
         LayoutRect adjustedRect = intersection(repaintRect, viewRect);
 #endif
         adjustedRect.moveBy(-viewRect.location());
-        adjustedRect.moveBy(ownerBox.contentBoxRect().location());
-        ownerBox.repaintRectangle(adjustedRect);
+        adjustedRect.moveBy(ownerBox->contentBoxRect().location());
+        ownerBox->repaintRectangle(adjustedRect);
         return;
     }