diff options
| author | Michal Klocek <michal.klocek@qt.io> | 2017-07-18 13:33:07 +0200 |
|---|---|---|
| committer | Michal Klocek <michal.klocek@qt.io> | 2017-07-19 11:04:16 +0000 |
| commit | 2c15cc053c4bbb8a3ad3bf9b52c0502cd0a632f8 (patch) | |
| tree | 7e34ef7fe0671ffeec194573c63b4f994cf9b66c | |
| parent | 953ac71439e9612440bc78d29ad799aa23bd5b49 (diff) | |
[Backport] CVE-2017-5052
Search the entire subtree when looking for the end of an inline continuation chain.
Inlines may be nested, so we may not find the last inline in the chain as a
direct child of the anonymous blocks. We need to search the entire subtree.
Don't do this with anonymous blocks that wrap block children (the block-level
DOM children of the inline-level objects), though. We're not going to find
anything interesting there.
This fix is speculative; the original bug report didn't come with a test case.
BUG=662767
Review-Url: https://codereview.chromium.org/2738503004
Cr-Commit-Position: refs/heads/master@{#455420}
(cherry picked from commit e72c8c06b956706b54648589f807086d17340831)
Review-Url: https://codereview.chromium.org/2769703003 .
Cr-Commit-Position: refs/branch-heads/2987@{#862}
Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943}
Change-Id: Ia89df9909da88b8891ae89fc18ffdc9d042c8eaa
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/third_party/WebKit/Source/core/layout/LayoutInline.cpp | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/chromium/third_party/WebKit/Source/core/layout/LayoutInline.cpp b/chromium/third_party/WebKit/Source/core/layout/LayoutInline.cpp index 618a4ed3f0e..665b1e1b69c 100644 --- a/chromium/third_party/WebKit/Source/core/layout/LayoutInline.cpp +++ b/chromium/third_party/WebKit/Source/core/layout/LayoutInline.cpp @@ -1029,11 +1029,18 @@ LayoutRect LayoutInline::absoluteClippedOverflowRect() const endContinuation = nextContinuation; for (LayoutBlock* currBlock = containingBlock(); currBlock && currBlock->isAnonymousBlock(); currBlock = toLayoutBlock(currBlock->nextSibling())) { + bool walkChildrenOnly = !currBlock->childrenInline(); for (LayoutObject* curr = currBlock->firstChild(); curr; curr = curr->nextSibling()) { LayoutRect rect(curr->clippedOverflowRectForPaintInvalidation(view())); context(FloatRect(rect)); - if (curr == endContinuation) + if (walkChildrenOnly) + continue; + for (LayoutObject* walker = curr; walker; + walker = walker->nextInPreOrder(curr)) { + if (walker != endContinuation) + continue; return LayoutRect(enclosingIntRect(floatResult)); + } } } return LayoutRect(); |