diff options
| author | Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> | 2016-07-26 13:49:33 +0200 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2016-08-10 12:23:19 +0000 |
| commit | 646adb5fccd488b19b97e18a07142b9c62f7b1a1 (patch) | |
| tree | e4a68ab262a0ae6678b7a452664a5431e46330b6 | |
| parent | 4524aa8c2598db247885cf52359713c65b728a53 (diff) | |
| download | qtwebengine-chromium-646adb5fccd488b19b97e18a07142b9c62f7b1a1.tar.gz | |
[Backport] Make previousLinePosition() not to use dangling RootInlineBox
This patch makes |previousLinePosition()| not to use dangling |RootInlineBox|
pointer to avoid use-after-free.
Before this patch, |isEditablePosition()| is called with |DoUpdateStyle|
parameter to update layout tree if needed. Usually, layout tree isn't updated
by this |isEditablePosition()| call since |previousLinePosition()| updates
layout tree at entry. However, if there are pending style sheet, e.g. @import
directive, and HTML import, e.g link rel=import, layout tree is updated since
document isn't rendering ready, |haveImportLoaded()| &&
|haveRenderBlockingStyleSheetsLoaded()|.
BUG=618237
TEST=LayoutTests/editing/selection/modify_move/move_backward_line_import_crash.html
Committed: https://crrev.com/fb81c66590538c2487a34b8623066a22d0b27dff
Review-Url: https://codereview.chromium.org/2082893005
Cr-Original-Commit-Position: refs/heads/master@{#401231}
Cr-Commit-Position: refs/heads/master@{#401581}
(cherry picked from commit e9c943f368d15bbfe414aedf5e001792257f3eeb)
Review URL: https://codereview.chromium.org/2149913003 .
(CVE-2016-5127)
Change-Id: Id64821526b26d8268ecd2585279cbec6f2c5a1c5
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
| -rw-r--r-- | chromium/third_party/WebKit/Source/core/editing/VisibleUnits.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/chromium/third_party/WebKit/Source/core/editing/VisibleUnits.cpp b/chromium/third_party/WebKit/Source/core/editing/VisibleUnits.cpp index 4dc8164f256..cc442011d10 100644 --- a/chromium/third_party/WebKit/Source/core/editing/VisibleUnits.cpp +++ b/chromium/third_party/WebKit/Source/core/editing/VisibleUnits.cpp @@ -997,7 +997,7 @@ VisiblePosition previousLinePosition(const VisiblePosition &visiblePosition, Lay if (root) { // FIXME: Can be wrong for multi-column layout and with transforms. LayoutPoint pointInLine = absoluteLineDirectionPointToLocalPointInBlock(root, lineDirectionPoint); - LayoutObject& layoutObject = root->closestLeafChildForPoint(pointInLine, isEditablePosition(p))->layoutObject(); + LayoutObject& layoutObject = root->closestLeafChildForPoint(pointInLine, isEditablePosition(p, ContentIsEditable, DoNotUpdateStyle))->layoutObject(); Node* node = layoutObject.node(); if (node && editingIgnoresContent(node)) return VisiblePosition(positionInParentBeforeNode(*node)); |