diff options
| -rw-r--r-- | chromium/third_party/blink/renderer/core/svg/svg_foreign_object_element.cc | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/chromium/third_party/blink/renderer/core/svg/svg_foreign_object_element.cc b/chromium/third_party/blink/renderer/core/svg/svg_foreign_object_element.cc index a912b47f3d6..683474c9d87 100644 --- a/chromium/third_party/blink/renderer/core/svg/svg_foreign_object_element.cc +++ b/chromium/third_party/blink/renderer/core/svg/svg_foreign_object_element.cc @@ -124,6 +124,21 @@ void SVGForeignObjectElement::SvgAttributeChanged( LayoutObject* SVGForeignObjectElement::CreateLayoutObject(const ComputedStyle&, LegacyLayout) { + // Suppress foreignObject LayoutObjects in SVG hidden containers. + // LayoutSVGHiddenContainers does not allow the subtree to be rendered, but + // allow LayoutObject descendants to be created. That will causes crashes in + // the layout code if object creation is not inhibited for foreignObject + // subtrees (https://crbug.com/1027905). + // Note that we currently do not support foreignObject instantiation via + // <use>, and attachShadow is not allowed on SVG elements, hence it is safe to + // use parentElement() here. + for (Element* ancestor = parentElement(); + ancestor && ancestor->IsSVGElement(); + ancestor = ancestor->parentElement()) { + if (ancestor->GetLayoutObject() && + ancestor->GetLayoutObject()->IsSVGHiddenContainer()) + return nullptr; + } return new LayoutSVGForeignObject(this); } |