Exploitable crash happens when an SVG contains an indirect resource inheritance cycle
[WebKit-https.git] / Source / WebCore / rendering / svg / RenderSVGRoot.cpp
index 9fef1d37a6ce3768f0973d6f345cf0baba395e01..7852f889daca14c669d47240a0fccd37dfd1554e 100644 (file)
@@ -180,9 +180,10 @@ void RenderSVGRoot::layout()
 
     if (!m_resourcesNeedingToInvalidateClients.isEmpty()) {
         // Invalidate resource clients, which may mark some nodes for layout.
-        HashSet<RenderSVGResourceContainer*>::iterator end = m_resourcesNeedingToInvalidateClients.end();
-        for (HashSet<RenderSVGResourceContainer*>::iterator it = m_resourcesNeedingToInvalidateClients.begin(); it != end; ++it)
-            (*it)->removeAllClientsFromCache();
+        for (auto& resource :  m_resourcesNeedingToInvalidateClients) {
+            resource->removeAllClientsFromCache();
+            SVGResourcesCache::clientStyleChanged(*resource, StyleDifferenceLayout, resource->style());
+        }
 
         m_isLayoutSizeChanged = false;
         SVGRenderSupport::layoutChildren(*this, false);