diff options
| author | Michal Klocek <michal.klocek@qt.io> | 2018-06-05 16:54:12 +0200 |
|---|---|---|
| committer | Michal Klocek <michal.klocek@qt.io> | 2018-06-06 10:08:21 +0000 |
| commit | 769be6e7ec66de81c807a1afd4335ed82b8e678d (patch) | |
| tree | d88d11ebbe3b6aeba1b913f1ab49bab57f878ec0 | |
| parent | 9a660be58f3e46e45351b2edd790b897bf1772a0 (diff) | |
[Backport] CVE-2018-6137
[PaintWorklet] Do not paint when paint target is associated with a link
When the target element of a paint worklet has an associated link, then
the 'paint' function will be invoked when the link's href is changed
from a visited URL to an unvisited URL (or vice versa).
This CL changes the behavior by detecting whether the target element
of a paint worklet has an associated link or not. If it does, then don't
paint.
Bug: 835589
Reviewed-on: https://chromium-review.googlesource.com/1035524
Change-Id: I13d0f23c64eb8c27f1e7d8aba5a05f1b88f63214
Reviewed-by: Kai Koehne <kai.koehne@qt.io>
| -rw-r--r-- | chromium/third_party/WebKit/Source/core/css/CSSPaintValue.cpp | 7 | ||||
| -rw-r--r-- | chromium/third_party/WebKit/Source/core/style/ComputedStyle.cpp | 5 |
2 files changed, 11 insertions, 1 deletions
diff --git a/chromium/third_party/WebKit/Source/core/css/CSSPaintValue.cpp b/chromium/third_party/WebKit/Source/core/css/CSSPaintValue.cpp index 85933ca5672..b61e0634b5a 100644 --- a/chromium/third_party/WebKit/Source/core/css/CSSPaintValue.cpp +++ b/chromium/third_party/WebKit/Source/core/css/CSSPaintValue.cpp @@ -46,8 +46,13 @@ String CSSPaintValue::GetName() const { scoped_refptr<Image> CSSPaintValue::GetImage( const ImageResourceObserver& client, const Document& document, - const ComputedStyle&, + const ComputedStyle& style, const LayoutSize& container_size) { + // https://crbug.com/835589: early exit when paint target is associated with + // a link. + if (style.InsideLink() != EInsideLink::kNotInsideLink) + return nullptr; + if (!generator_) { generator_ = CSSPaintImageGenerator::Create( GetName(), document, paint_image_generator_observer_); diff --git a/chromium/third_party/WebKit/Source/core/style/ComputedStyle.cpp b/chromium/third_party/WebKit/Source/core/style/ComputedStyle.cpp index 5f03be0c56d..0bd8599d436 100644 --- a/chromium/third_party/WebKit/Source/core/style/ComputedStyle.cpp +++ b/chromium/third_party/WebKit/Source/core/style/ComputedStyle.cpp @@ -655,6 +655,11 @@ bool ComputedStyle::DiffNeedsPaintInvalidationObject( bool ComputedStyle::DiffNeedsPaintInvalidationObjectForPaintImage( const StyleImage& image, const ComputedStyle& other) const { + // https://crbug.com/835589: early exit when paint target is associated with + // a link. + if (InsideLink() != EInsideLink::kNotInsideLink) + return false; + CSSPaintValue* value = ToCSSPaintValue(image.CssValue()); // NOTE: If the invalidation properties vectors are null, we are invalid as |