Heap-use-after-free in WebCore::InlineFlowBox::deleteLine due to fullscreen issues.
authorjer.noble@apple.com <jer.noble@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 29 Mar 2012 23:03:58 +0000 (23:03 +0000)
committerjer.noble@apple.com <jer.noble@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 29 Mar 2012 23:03:58 +0000 (23:03 +0000)
commit3cb6a08543cf6d9fc178b34ba19a9fb78728bf68
treec91b6e0b6b10573e740e6c15760db06c84f0921f
parent3e4db59fab3d5e5c76a9a1acf47d4932bca4f2e8
Heap-use-after-free in WebCore::InlineFlowBox::deleteLine due to fullscreen issues.
https://bugs.webkit.org/show_bug.cgi?id=82055

Reviewed by David Hyatt.

No new tests; fixes fuzz test crasher which is not reproducible in DRT or WKTR.

When a RenderFullScreen object is inserted between a child and parent renderer, make sure the
parent renderer deletes its line boxes by calling setNeedsLayoutAndPrefWidthsRecalc().  This
forces its InlineBox renderers to be removed from the line boxes and their parents in the correct
order, fixing a double-delete crash.

The same is true when unwrapping the RenderFullScreen object, and when creating and inserting
the full screen placeholder.

* rendering/RenderFullScreen.cpp:
(RenderFullScreen::wrapRenderer):
(RenderFullScreen::unwrapRenderer):
(RenderFullScreen::createPlaceholder):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@112596 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderFullScreen.cpp