Heap-use-after-free in WebCore::RenderText::computePreferredLogicalWidths
authorinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 11 Jan 2013 19:35:31 +0000 (19:35 +0000)
committerinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 11 Jan 2013 19:35:31 +0000 (19:35 +0000)
https://bugs.webkit.org/show_bug.cgi?id=95901

Reviewed by Simon Fraser.

Prevent re-entrancy of view layout. Loading of SVG document during font load
causes it to re-enter layout and blowing the style away from underneath.

Test: Go to http://www.speckproducts.com and make sure crash does not happen.

* dom/Document.cpp:
(WebCore::Document::updateLayout):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@139470 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp

index a780bdcbc8eb25a0f546b08a29e4f55a8781a5a2..a30ae39fcce5ad26acef6c0d5bdec3b96e08f603 100644 (file)
@@ -1,3 +1,18 @@
+2013-01-11  Abhishek Arya  <inferno@chromium.org>
+
+        Heap-use-after-free in WebCore::RenderText::computePreferredLogicalWidths
+        https://bugs.webkit.org/show_bug.cgi?id=95901
+
+        Reviewed by Simon Fraser.
+
+        Prevent re-entrancy of view layout. Loading of SVG document during font load
+        causes it to re-enter layout and blowing the style away from underneath.
+        
+        Test: Go to http://www.speckproducts.com and make sure crash does not happen.
+
+        * dom/Document.cpp:
+        (WebCore::Document::updateLayout):
+
 2013-01-11  Kentaro Hara  <haraken@chromium.org>
 
         [V8] Do not create a local handle for a cached v8 string that is returned to V8 immediately
 2013-01-11  Kentaro Hara  <haraken@chromium.org>
 
         [V8] Do not create a local handle for a cached v8 string that is returned to V8 immediately
index b7cfa317888053a78eec051ea0d9bf7024235294..f859dea729300b9b1dedb868b32ba13bec748ce5 100644 (file)
@@ -1899,16 +1899,24 @@ void Document::updateStyleForAllDocuments()
 void Document::updateLayout()
 {
     ASSERT(isMainThread());
 void Document::updateLayout()
 {
     ASSERT(isMainThread());
+
+    FrameView* frameView = view();
+    if (frameView && frameView->isInLayout()) {
+        // View layout should not be re-entrant.
+        ASSERT_NOT_REACHED();
+        return;
+    }
+
     if (Element* oe = ownerElement())
         oe->document()->updateLayout();
 
     updateStyleIfNeeded();
 
     StackStats::LayoutCheckPoint layoutCheckPoint;
     if (Element* oe = ownerElement())
         oe->document()->updateLayout();
 
     updateStyleIfNeeded();
 
     StackStats::LayoutCheckPoint layoutCheckPoint;
+
     // Only do a layout if changes have occurred that make it necessary.      
     // Only do a layout if changes have occurred that make it necessary.      
-    FrameView* v = view();
-    if (v && renderer() && (v->layoutPending() || renderer()->needsLayout()))
-        v->layout();
+    if (frameView && renderer() && (frameView->layoutPending() || renderer()->needsLayout()))
+        frameView->layout();
 }
 
 // FIXME: This is a bad idea and needs to be removed eventually.
 }
 
 // FIXME: This is a bad idea and needs to be removed eventually.