[Backport] Fix for CVE-2019-5757

Fix SVG crash for v0 distribution into foreignObject. We require a parent element to be an SVG element for non-svg-root elements in order to create a LayoutObject for them. However, we checked the light tree parent element, not the flat tree one which is the parent for the layout tree construction. Note that this is just an issue in Shadow DOM v0 since v1 does not allow shadow roots on SVG elements. Bug: 915469 Change-Id: Id81843abad08814fae747b5bc81c09666583f130 Reviewed-on: https://chromium-review.googlesource.com/c/1382494 Reviewed-by: Fredrik Söderquist <fs@opera.com> Commit-Queue: Rune Lillesveen <futhark@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#617487}(cherry picked from commit 032c3339bfb454c65ce38e7eafe49a54bac83073) Reviewed-on: https://chromium-review.googlesource.com/c/1387454 Reviewed-by: Rune Lillesveen <futhark@chromium.org> Cr-Commit-Position: refs/branch-heads/3626@{#491} Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437} Reviewed-by: Michal Klocek <michal.klocek@qt.io>
author: Allan Sandfeld Jensen <allan.jensen@qt.io> 2019-02-01 15:46:05 +0100
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2019-02-04 10:11:51 +0000
commit: 6605d8f7b4309a1a29c0e5eb275c5f131898fd7d (patch)
tree: 3c5715b7643ffd79436e14a9ca6ee39c786f0d51
parent: 09ae6be5bb839612512e36f455bae0a694e8863b (diff)
download: qtwebengine-chromium-6605d8f7b4309a1a29c0e5eb275c5f131898fd7d.tar.gz
1 files changed, 3 insertions, 4 deletions
diff --git a/chromium/third_party/blink/renderer/core/svg/svg_element.cc b/chromium/third_party/blink/renderer/core/svg/svg_element.cc
index e9a1fd9dd0e..6af7df47e35 100644
--- a/chromium/third_party/blink/renderer/core/svg/svg_element.cc
+++ b/chromium/third_party/blink/renderer/core/svg/svg_element.cc
@@ -37,6 +37,7 @@
 #include "third_party/blink/renderer/core/dom/document.h"
 #include "third_party/blink/renderer/core/dom/element_traversal.h"
 #include "third_party/blink/renderer/core/dom/events/event.h"
+#include "third_party/blink/renderer/core/dom/flat_tree_traversal.h"
 #include "third_party/blink/renderer/core/dom/node_computed_style.h"
 #include "third_party/blink/renderer/core/dom/shadow_root.h"
 #include "third_party/blink/renderer/core/frame/csp/content_security_policy.h"
@@ -1047,10 +1048,8 @@ bool SVGElement::LayoutObjectIsNeeded(const ComputedStyle& style) const {
 }
 
 bool SVGElement::HasSVGParent() const {
-  // Should we use the flat tree parent instead? If so, we should probably fix a
-  // few other checks.
-  return ParentOrShadowHostElement() &&
-         ParentOrShadowHostElement()->IsSVGElement();
+  Element* parent = FlatTreeTraversal::ParentElement(*this);
+  return parent && parent->IsSVGElement();
 }
 
 MutableCSSPropertyValueSet* SVGElement::AnimatedSMILStyleProperties() const {
author	Allan Sandfeld Jensen <allan.jensen@qt.io>	2019-02-01 15:46:05 +0100
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2019-02-04 10:11:51 +0000
commit	6605d8f7b4309a1a29c0e5eb275c5f131898fd7d (patch)
tree	3c5715b7643ffd79436e14a9ca6ee39c786f0d51
parent	09ae6be5bb839612512e36f455bae0a694e8863b (diff)
download	qtwebengine-chromium-6605d8f7b4309a1a29c0e5eb275c5f131898fd7d.tar.gz