Google Git
Sign in
chromium / external / WebKit_trimmed / a4e82c80b0125d18ca875f9b8e85cd8f1ab5bb4f
commita4e82c80b0125d18ca875f9b8e85cd8f1ab5bb4f[log] [tgz]
authorzoltan@webkit.org <zoltan@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Tue May 14 20:09:17 2013
committerzoltan@webkit.org <zoltan@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Tue May 14 20:09:17 2013
treeaa71ea1259d336e1dfeb76b8f8a24c59154be9af
parentf710b92ed38f8046e10d5ce5627499e9e7a2db6d [diff]
Heap-use-after-free in WebCore::RenderBox::exclusionShapeOutsideInfo
https://bugs.webkit.org/show_bug.cgi?id=115566

Patch by Bem Jones-Bey <bjonesbe@adobe.com> on 2013-05-14
Reviewed by David Hyatt.

Source/WebCore:

When a portion of the render tree is being detached, anonymous blocks
will be combined as their children are deleted. In this process, the
anonymous block later in the tree is merged into the one preceeding it.
It can happen that the later block contains floats that the previous
block did not contain, and thus are not in the floating objects list for
the new block. This can result in the new block containing floats that
are not in it's floating objects list, but are in the floating objects
lists of siblings and parents. This can cause problems when the float
itself is deleted, since the deletion code assumes that if a float is not
in it's containing block's floating objects list, it isn't in any
floating objects list, causing dangling pointers in the floating objects
lists of the siblings and parents. In order to preserve this condition
(removing it has serious performance implications), we need to copy the
floating objects from the old block to the new block.  The float's
metrics will likely all be wrong, but since the new block is already
marked for layout, this will get fixed before anything gets displayed.

Test: fast/block/float/float-append-child-crash.html

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::moveAllChildrenIncludingFloatsTo): Copy
    floating objects list in addition to children.
(WebCore::RenderBlock::FloatingObject::clone): Added.
(WebCore::RenderBlock::removeChild): Use new method to copy children.
* rendering/RenderBlock.h:
(RenderBlock): Add method.

LayoutTests:

Cleaned up test from the fuzzer. Will only crash if run under a memory
checking tool like ASAN.

* fast/block/float/float-append-child-crash-expected.txt: Added.
* fast/block/float/float-append-child-crash.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@150084 268f45cc-cd09-0410-ab3c-d52691b4dbfc
6 files changed
tree: aa71ea1259d336e1dfeb76b8f8a24c59154be9af
  1. Examples/
  2. LayoutTests/
  3. ManualTests/
  4. PerformanceTests/
  5. Source/
  6. Tools/
  7. WebKit.xcworkspace/
  8. WebKitLibraries/
  9. Websites/
  10. .dir-locals.el
  11. .gitattributes
  12. .gitignore
  13. .qmake.conf
  14. autogen.sh
  15. ChangeLog
  16. ChangeLog-2012-05-22
  17. CMakeLists.txt
  18. configure.ac
  19. GNUmakefile.am
  20. Makefile
  21. Makefile.shared
  22. WebKit.pro