diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2020-08-31 12:16:05 +0200 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2020-08-31 10:38:58 +0000 |
| commit | dabae54d81d96768c355fd3e1671e48340bf906f (patch) | |
| tree | 047034fec8f4652e6eaa0f8468fdbdfe134073ca | |
| parent | 2b707f254864f9fdfbe68527f01fa9aad016c431 (diff) | |
| download | qtwebengine-chromium-dabae54d81d96768c355fd3e1671e48340bf906f.tar.gz | |
[Backport] Security issue 1102137
Remove anonymous block wrapper when inline continuation is removed.
Keeping empty anonymous blocks around is bad. The only known actual
problem is in multicol (but it may cause other issues too). Based on the
layout object tree, multicol creates anonymous LayoutMultiColumnSet and
LayoutMultiColumnSpannerPlaceholder objects, to keep track of what is
regular column content and what are spanners. Leaving a
LayoutMultiColumnSet around just for the sake of an empty anonymous
block (which may get cleaned up without notifying the multicol code)
will confuse multicol layout.
(cherry picked from commit 48919b7a63545c092d11d2424cb4058ffa0ef7c3)
Bug: 1102137
Change-Id: Ibfb46d0dc173ecfdb2e7903efee5a49de3da3ff3
Commit-Queue: Morten Stenshorne <mstensho@chromium.org>
Reviewed-by: Ian Kilpatrick <ikilpatrick@chromium.org>
Reviewed-by: Rune Lillesveen <futhark@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#786197}
Commit-Queue: Ian Kilpatrick <ikilpatrick@chromium.org>
Cr-Commit-Position: refs/branch-heads/4183@{#658}
Cr-Branched-From: 740e9e8a40505392ba5c8e022a8024b3d018ca65-refs/heads/master@{#782793}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rw-r--r-- | chromium/third_party/blink/renderer/core/layout/layout_object.cc | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/chromium/third_party/blink/renderer/core/layout/layout_object.cc b/chromium/third_party/blink/renderer/core/layout/layout_object.cc index a8574b15657..307ea18aa2a 100644 --- a/chromium/third_party/blink/renderer/core/layout/layout_object.cc +++ b/chromium/third_party/blink/renderer/core/layout/layout_object.cc @@ -3276,9 +3276,26 @@ void LayoutObject::DestroyAndCleanupAnonymousWrappers() { if (destroy_root_parent->IsLayoutFlowThread()) break; - if (destroy_root->PreviousSibling() || destroy_root->NextSibling()) - break; // Need to keep the anonymous parent, since it won't become empty - // by the removal of this LayoutObject. + // We need to keep the anonymous parent, if it won't become empty by the + // removal of this LayoutObject. + if (destroy_root->PreviousSibling()) + break; + if (const LayoutObject* sibling = destroy_root->NextSibling()) { + if (destroy_root->GetNode()) { + // When there are inline continuations, there may be multiple layout + // objects generated from the same node, and those are special. They + // will be removed as part of destroying |this|, in + // LayoutInline::WillBeDestroyed(). So if that's all we have left, we + // need to realize now that the anonymous containing block will become + // empty. So we have to destroy it. + while (sibling && sibling->GetNode() == destroy_root->GetNode()) + sibling = sibling->NextSibling(); + } + if (sibling) + break; + DCHECK(destroy_root->IsLayoutInline()); + DCHECK(ToLayoutInline(destroy_root)->Continuation()); + } } destroy_root->Destroy(); |