diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-10-17 11:53:05 +0200 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-10-21 08:14:29 +0000 |
| commit | 729e9b30bbf2f70b2a37ba313d6e2655ee0cf4e0 (patch) | |
| tree | d2bd938eb4d80da7dd0518440a8cc85a713dbbbd | |
| parent | 9e3becc64121024e092d03d869886ac2c3619d79 (diff) | |
| download | qtwebengine-chromium-729e9b30bbf2f70b2a37ba313d6e2655ee0cf4e0.tar.gz | |
[Backport] Security issue 981459
Don't assume HTMLFrameOwnerElement::GetLayoutObject is LayoutEmbeddedContent
The comment above HTMLFrameOwnerElement::GetLayoutEmbeddedContent()
says:
// Most subclasses use LayoutEmbeddedContent (either LayoutEmbeddedObject or
// LayoutIFrame) except for HTMLObjectElement and HTMLEmbedElement which may
// return any LayoutObject when using fallback content.
LayoutEmbeddedContent* GetLayoutEmbeddedContent() const;
No new test because I couldn't reproduce the bug locally, but I believe this
will fix the clusterfuzz bug.
Bug: 981459
Change-Id: I3ecf8022111dc25a2e862c0311ffa56467d18c2e
Reviewed-by: Philip Rogers <pdr@chromium.org>
Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#675712}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
| -rw-r--r-- | chromium/third_party/blink/renderer/core/html/html_frame_owner_element.cc | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/chromium/third_party/blink/renderer/core/html/html_frame_owner_element.cc b/chromium/third_party/blink/renderer/core/html/html_frame_owner_element.cc index 9eb9c7c7c9d..d0b13e03981 100644 --- a/chromium/third_party/blink/renderer/core/html/html_frame_owner_element.cc +++ b/chromium/third_party/blink/renderer/core/html/html_frame_owner_element.cc @@ -309,8 +309,7 @@ void HTMLFrameOwnerElement::SetEmbeddedContentView( GetDocument().GetRootScrollerController().DidUpdateIFrameFrameView(*this); - LayoutEmbeddedContent* layout_embedded_content = - ToLayoutEmbeddedContent(GetLayoutObject()); + LayoutEmbeddedContent* layout_embedded_content = GetLayoutEmbeddedContent(); if (!layout_embedded_content) return; @@ -337,8 +336,7 @@ EmbeddedContentView* HTMLFrameOwnerElement::ReleaseEmbeddedContentView() { return nullptr; if (embedded_content_view_->IsAttached()) embedded_content_view_->DetachFromLayout(); - LayoutEmbeddedContent* layout_embedded_content = - ToLayoutEmbeddedContent(GetLayoutObject()); + LayoutEmbeddedContent* layout_embedded_content = GetLayoutEmbeddedContent(); if (layout_embedded_content) { if (AXObjectCache* cache = GetDocument().ExistingAXObjectCache()) cache->ChildrenChanged(layout_embedded_content); |