diff options
| author | Rune Lillesveen <futhark@chromium.org> | 2020-01-15 16:16:49 +0100 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-01-16 09:06:35 +0000 |
| commit | 545b591cee68f3a880e53fed1f87a7b63d6225d7 (patch) | |
| tree | 16b8db702b359ab97f53adec9aa36c9a5019c196 | |
| parent | 5ca9a877b4b20bc88b1dc4badd1733c813def845 (diff) | |
| download | qtwebengine-chromium-545b591cee68f3a880e53fed1f87a7b63d6225d7.tar.gz | |
[Backport] Security bug 1027905
Backport of patch:
Do not generate layout boxes for non-rendered foreignObject.
This change effectively re-introduces the code from [1] but only let it
affect layout tree building, not style computation, which was the reason
why the code was removed in the first place.
This also fixes the resolved style for width/height returned from
getComputedStyle() to return 'auto' for a computed value of 'auto'.
This matches the Firefox behavior.
[1] https://chromium-review.googlesource.com/c/chromium/src/+/1070137
(cherry picked from commit 1d1d6aac6bb169e788c9c081f655e85fe67f2e9f)
Bug: 1027905
Change-Id: I70e01302ce8b995ee89db2d6c20eb676e1f479e8
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/third_party/blink/renderer/core/svg/svg_foreign_object_element.cc | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/chromium/third_party/blink/renderer/core/svg/svg_foreign_object_element.cc b/chromium/third_party/blink/renderer/core/svg/svg_foreign_object_element.cc index a912b47f3d6..683474c9d87 100644 --- a/chromium/third_party/blink/renderer/core/svg/svg_foreign_object_element.cc +++ b/chromium/third_party/blink/renderer/core/svg/svg_foreign_object_element.cc @@ -124,6 +124,21 @@ void SVGForeignObjectElement::SvgAttributeChanged( LayoutObject* SVGForeignObjectElement::CreateLayoutObject(const ComputedStyle&, LegacyLayout) { + // Suppress foreignObject LayoutObjects in SVG hidden containers. + // LayoutSVGHiddenContainers does not allow the subtree to be rendered, but + // allow LayoutObject descendants to be created. That will causes crashes in + // the layout code if object creation is not inhibited for foreignObject + // subtrees (https://crbug.com/1027905). + // Note that we currently do not support foreignObject instantiation via + // <use>, and attachShadow is not allowed on SVG elements, hence it is safe to + // use parentElement() here. + for (Element* ancestor = parentElement(); + ancestor && ancestor->IsSVGElement(); + ancestor = ancestor->parentElement()) { + if (ancestor->GetLayoutObject() && + ancestor->GetLayoutObject()->IsSVGHiddenContainer()) + return nullptr; + } return new LayoutSVGForeignObject(this); } |