From 6605d8f7b4309a1a29c0e5eb275c5f131898fd7d Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Fri, 1 Feb 2019 15:46:05 +0100
Subject: [Backport] Fix for CVE-2019-5757
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fix SVG crash for v0 distribution into foreignObject.

We require a parent element to be an SVG element for non-svg-root
elements in order to create a LayoutObject for them. However, we checked
the light tree parent element, not the flat tree one which is the parent
for the layout tree construction. Note that this is just an issue in
Shadow DOM v0 since v1 does not allow shadow roots on SVG elements.

Bug: 915469
Change-Id: Id81843abad08814fae747b5bc81c09666583f130
Reviewed-on: https://chromium-review.googlesource.com/c/1382494
Reviewed-by: Fredrik Söderquist <fs@opera.com>
Commit-Queue: Rune Lillesveen <futhark@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#617487}(cherry picked from commit 032c3339bfb454c65ce38e7eafe49a54bac83073)
Reviewed-on: https://chromium-review.googlesource.com/c/1387454
Reviewed-by: Rune Lillesveen <futhark@chromium.org>
Cr-Commit-Position: refs/branch-heads/3626@{#491}
Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 chromium/third_party/blink/renderer/core/svg/svg_element.cc | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/chromium/third_party/blink/renderer/core/svg/svg_element.cc b/chromium/third_party/blink/renderer/core/svg/svg_element.cc
index e9a1fd9dd0e..6af7df47e35 100644
--- a/chromium/third_party/blink/renderer/core/svg/svg_element.cc
+++ b/chromium/third_party/blink/renderer/core/svg/svg_element.cc
@@ -37,6 +37,7 @@
 #include "third_party/blink/renderer/core/dom/document.h"
 #include "third_party/blink/renderer/core/dom/element_traversal.h"
 #include "third_party/blink/renderer/core/dom/events/event.h"
+#include "third_party/blink/renderer/core/dom/flat_tree_traversal.h"
 #include "third_party/blink/renderer/core/dom/node_computed_style.h"
 #include "third_party/blink/renderer/core/dom/shadow_root.h"
 #include "third_party/blink/renderer/core/frame/csp/content_security_policy.h"
@@ -1047,10 +1048,8 @@ bool SVGElement::LayoutObjectIsNeeded(const ComputedStyle& style) const {
 }
 
 bool SVGElement::HasSVGParent() const {
-  // Should we use the flat tree parent instead? If so, we should probably fix a
-  // few other checks.
-  return ParentOrShadowHostElement() &&
-         ParentOrShadowHostElement()->IsSVGElement();
+  Element* parent = FlatTreeTraversal::ParentElement(*this);
+  return parent && parent->IsSVGElement();
 }
 
 MutableCSSPropertyValueSet* SVGElement::AnimatedSMILStyleProperties() const {
-- 
cgit v1.2.1