Heap-use-after-free in WebCore::InlineFlowBox::deleteLine due to fullscreen issues.
authorjer.noble@apple.com <jer.noble@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 29 Mar 2012 23:03:58 +0000 (23:03 +0000)
committerjer.noble@apple.com <jer.noble@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 29 Mar 2012 23:03:58 +0000 (23:03 +0000)
https://bugs.webkit.org/show_bug.cgi?id=82055

Reviewed by David Hyatt.

No new tests; fixes fuzz test crasher which is not reproducible in DRT or WKTR.

When a RenderFullScreen object is inserted between a child and parent renderer, make sure the
parent renderer deletes its line boxes by calling setNeedsLayoutAndPrefWidthsRecalc().  This
forces its InlineBox renderers to be removed from the line boxes and their parents in the correct
order, fixing a double-delete crash.

The same is true when unwrapping the RenderFullScreen object, and when creating and inserting
the full screen placeholder.

* rendering/RenderFullScreen.cpp:
(RenderFullScreen::wrapRenderer):
(RenderFullScreen::unwrapRenderer):
(RenderFullScreen::createPlaceholder):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@112596 268f45cc-cd09-0410-ab3c-d52691b4dbfc


No differences found