Source/WebCore: Heap-use-after-free in WebCore::RenderLayerModelObject::hasSelfPaintingL
authorinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 28 Nov 2012 22:46:59 +0000 (22:46 +0000)
committerinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 28 Nov 2012 22:46:59 +0000 (22:46 +0000)
LayoutTests: Heap-use-after-free in WebCore::RenderLayerModelObject::hasSelfPaintingLayer
https://bugs.webkit.org/show_bug.cgi?id=101970

Reviewed by David Hyatt.

* fast/block/float/float-not-removed-from-pre-block-expected.txt: Added.
* fast/block/float/float-not-removed-from-pre-block.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@136060 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/block/float/float-not-removed-from-pre-block-expected.txt [new file with mode: 0644]
LayoutTests/fast/block/float/float-not-removed-from-pre-block.html [new file with mode: 0755]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderBlock.cpp
Source/WebCore/rendering/RenderBlock.h
Source/WebCore/rendering/RenderInline.cpp

index 95fba53..d8f8f1a 100644 (file)
@@ -1,3 +1,13 @@
+2012-11-28  Abhishek Arya  <inferno@chromium.org>
+
+        Heap-use-after-free in WebCore::RenderLayerModelObject::hasSelfPaintingLayer
+        https://bugs.webkit.org/show_bug.cgi?id=101970
+
+        Reviewed by David Hyatt.
+
+        * fast/block/float/float-not-removed-from-pre-block-expected.txt: Added.
+        * fast/block/float/float-not-removed-from-pre-block.html: Added.
+
 2012-11-28  Tony Chang  <tony@chromium.org>
 
         Move internals.settings.setPageScaleFactor to internals.setPageScaleFactor
diff --git a/LayoutTests/fast/block/float/float-not-removed-from-pre-block-expected.txt b/LayoutTests/fast/block/float/float-not-removed-from-pre-block-expected.txt
new file mode 100644 (file)
index 0000000..acbf0fb
--- /dev/null
@@ -0,0 +1,3 @@
+Bug 101970: Heap-use-after-free in WebCore::RenderLayerModelObject::hasSelfPaintingLayer
+Test passes if it does not crash.
+
diff --git a/LayoutTests/fast/block/float/float-not-removed-from-pre-block.html b/LayoutTests/fast/block/float/float-not-removed-from-pre-block.html
new file mode 100755 (executable)
index 0000000..0f4237f
--- /dev/null
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+Bug 101970: Heap-use-after-free in WebCore::RenderLayerModelObject::hasSelfPaintingLayer<br />
+Test passes if it does not crash.<br />
+<div id="container">
+  <q>
+    <q id="test1"></q>
+  </q>
+  <q id="test2">
+    <q style="float: left"></q>
+    <q id="test3">
+      <q style="position: fixed;">
+    </q>
+  </q>
+</div>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+document.body.offsetTop;
+test3.style.display = "table-footer-group";
+test3.focus();
+test1.style.display = "table-row-group";
+test2.style.display = "inline-block";
+</script>
+</html>
index dae1b52..ad0a8b0 100644 (file)
@@ -1,3 +1,31 @@
+2012-11-28  Abhishek Arya  <inferno@chromium.org>
+
+        Heap-use-after-free in WebCore::RenderLayerModelObject::hasSelfPaintingL
+ayer
+        https://bugs.webkit.org/show_bug.cgi?id=101970
+
+        Reviewed by David Hyatt.
+
+        RenderInline::splitFlow and RenderBlock::splitFlow re-use |pre|
+        block in some cases. In those cases, |pre| might hold floating objects
+        and those floating descendants might get moved to |post| block. If
+        the |pre| block does not get a layout later, then the floating
+        descendant will never get removed since it is now part of |post|
+        ancestor chain. We don't want failing-to-layout bugs turned into
+        security bugs and hence clear floating objects list since we expect
+        it to be rebuilt in subsequent layout.
+
+        Test: fast/block/float/float-not-removed-from-pre-block.html
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::splitFlow): Call removeFloatingObjects on |pre| block.
+        (WebCore::RenderBlock::removeFloatingObjects): Clear all floating objects from our list.
+        (WebCore):
+        * rendering/RenderBlock.h: 
+        (RenderBlock):
+        * rendering/RenderInline.cpp:
+        (WebCore::RenderInline::splitFlow): Call removeFloatingObjects on |pre| block.
+
 2012-11-28  Mark Pilgrim  <pilgrim@chromium.org>
 
         [Chromium] Remove pluginsScriptableObject from PlatformSupport
index 418bcf5..8c62497 100644 (file)
@@ -675,6 +675,7 @@ void RenderBlock::splitFlow(RenderObject* beforeChild, RenderBlock* newBlockBox,
         // We can reuse this block and make it the preBlock of the next continuation.
         pre = block;
         pre->removePositionedObjects(0);
+        pre->removeFloatingObjects();
         block = toRenderBlock(block->parent());
     } else {
         // No anonymous block available for use.  Make one.
@@ -3761,6 +3762,15 @@ void RenderBlock::removePositionedObjects(RenderBlock* o, ContainingBlockState c
         removePositionedObject(deadObjects.at(i));
 }
 
+void RenderBlock::removeFloatingObjects()
+{
+    if (!m_floatingObjects)
+        return;
+
+    deleteAllValues(m_floatingObjects->set());
+    m_floatingObjects->clear();
+}
+
 RenderBlock::FloatingObject* RenderBlock::insertFloatingObject(RenderBox* o)
 {
     ASSERT(o->isFloating());
index 89c816c..9f00847 100644 (file)
@@ -117,6 +117,8 @@ public:
     static void removePositionedObject(RenderBox*);
     void removePositionedObjects(RenderBlock*, ContainingBlockState = SameContainingBlock);
 
+    void removeFloatingObjects();
+
     TrackedRendererListHashSet* positionedObjects() const;
     bool hasPositionedObjects() const
     {
index 01f9699..db1b185 100644 (file)
@@ -455,6 +455,7 @@ void RenderInline::splitFlow(RenderObject* beforeChild, RenderBlock* newBlockBox
         // We can reuse this block and make it the preBlock of the next continuation.
         pre = block;
         pre->removePositionedObjects(0);
+        pre->removeFloatingObjects();
         block = block->containingBlock();
     } else {
         // No anonymous block available for use.  Make one.