[Backport] Fix for CVE-2017-5059

Check isText() when editing traverses layout tree for ::first-letter This patch checks isText() before toLayoutText() when editing traverses layout trees for ::first-letter pseudo elements. Normally, the first child of ::first-letter pseudo element is LayoutText. This patch checks if the assumption stands. BUG=684684 Change-Id: If883e1a575093328c28ce73239e00b23bbbde1e3 Review-Url: https://codereview.chromium.org/2650953004 Cr-Commit-Position: refs/heads/master@{#445986} Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Allan Sandfeld Jensen <allan.jensen@qt.io> 2017-05-12 13:55:28 +0200
committer: Alexandru Croitor <alexandru.croitor@qt.io> 2017-07-12 09:42:30 +0000
commit: 953ac71439e9612440bc78d29ad799aa23bd5b49 (patch)
tree: cae2dc34ae0a1a141f7251dd0104b646c39ff128
parent: 53f8c20ce3b721217776ed284a1512af95336d60 (diff)
2 files changed, 7 insertions, 5 deletions
diff --git a/chromium/third_party/WebKit/Source/core/editing/VisibleUnits.cpp b/chromium/third_party/WebKit/Source/core/editing/VisibleUnits.cpp
index b87054b191e..d5a1c3bbfb8 100644
--- a/chromium/third_party/WebKit/Source/core/editing/VisibleUnits.cpp
+++ b/chromium/third_party/WebKit/Source/core/editing/VisibleUnits.cpp
@@ -2186,8 +2186,10 @@ static LayoutObject* associatedLayoutObjectOf(const Node& node, int offsetInNode
             return nullptr;
         // TODO(yosin): We're not sure when |firstLetterLayoutObject| has
         // multiple child layout object.
-        ASSERT(firstLetterLayoutObject->slowFirstChild() == firstLetterLayoutObject->slowLastChild());
-        return firstLetterLayoutObject->slowFirstChild();
+        LayoutObject* child = firstLetterLayoutObject->slowFirstChild();
+        RELEASE_ASSERT(child && child->isText());
+        ASSERT(child ==  firstLetterLayoutObject->slowLastChild());
+        return child;
     }
     // TODO(yosin): We should rename |LayoutTextFramge::length()| instead of
     // |end()|, once |LayoutTextFramge| has it. See http://crbug.com/545789
diff --git a/chromium/third_party/WebKit/Source/core/editing/iterators/TextIterator.cpp b/chromium/third_party/WebKit/Source/core/editing/iterators/TextIterator.cpp
index 1b85ca7430b..83102a420dd 100644
--- a/chromium/third_party/WebKit/Source/core/editing/iterators/TextIterator.cpp
+++ b/chromium/third_party/WebKit/Source/core/editing/iterators/TextIterator.cpp
@@ -633,12 +633,12 @@ void TextIteratorAlgorithm<Strategy>::handleTextNodeFirstLetter(LayoutTextFragme
         return;
 
     LayoutObject* firstLetter = pseudoLayoutObject->slowFirstChild();
-    ASSERT(firstLetter);
 
-    m_remainingTextBox = m_textBox;
-    m_textBox = toLayoutText(firstLetter)->firstTextBox();
     m_sortedTextBoxes.clear();
+    m_remainingTextBox = m_textBox;
+    ASSERT(firstLetter && firstLetter->isText());
     m_firstLetterText = toLayoutText(firstLetter);
+    m_textBox = m_firstLetterText->firstTextBox();
 }
 
 template<typename Strategy>
author	Allan Sandfeld Jensen <allan.jensen@qt.io>	2017-05-12 13:55:28 +0200
committer	Alexandru Croitor <alexandru.croitor@qt.io>	2017-07-12 09:42:30 +0000
commit	953ac71439e9612440bc78d29ad799aa23bd5b49 (patch)
tree	cae2dc34ae0a1a141f7251dd0104b646c39ff128
parent	53f8c20ce3b721217776ed284a1512af95336d60 (diff)