diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-10-17 11:53:05 +0200 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-11-01 13:25:21 +0000 |
| commit | 89644ad92fee38706430c1adb1e29b9756193b4f (patch) | |
| tree | d756f76ec482c7d73c124929ad6d51e4a7eb8b77 | |
| parent | db783cf5684f13451a5656e6958c9d331aba7149 (diff) | |
[Backport] Security issue 981459v5.12.6
Don't assume HTMLFrameOwnerElement::GetLayoutObject is LayoutEmbeddedContent
The comment above HTMLFrameOwnerElement::GetLayoutEmbeddedContent()
says:
// Most subclasses use LayoutEmbeddedContent (either LayoutEmbeddedObject or
// LayoutIFrame) except for HTMLObjectElement and HTMLEmbedElement which may
// return any LayoutObject when using fallback content.
LayoutEmbeddedContent* GetLayoutEmbeddedContent() const;
No new test because I couldn't reproduce the bug locally, but I believe this
will fix the clusterfuzz bug.
Bug: 981459
Change-Id: I3ecf8022111dc25a2e862c0311ffa56467d18c2e
Reviewed-by: Philip Rogers <pdr@chromium.org>
Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#675712}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
| -rw-r--r-- | chromium/third_party/blink/renderer/core/html/html_frame_owner_element.cc | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/chromium/third_party/blink/renderer/core/html/html_frame_owner_element.cc b/chromium/third_party/blink/renderer/core/html/html_frame_owner_element.cc index 645cbeef2cb..a2ab5eb1a36 100644 --- a/chromium/third_party/blink/renderer/core/html/html_frame_owner_element.cc +++ b/chromium/third_party/blink/renderer/core/html/html_frame_owner_element.cc @@ -296,8 +296,7 @@ void HTMLFrameOwnerElement::SetEmbeddedContentView( GetDocument().GetRootScrollerController().DidUpdateIFrameFrameView(*this); - LayoutEmbeddedContent* layout_embedded_content = - ToLayoutEmbeddedContent(GetLayoutObject()); + LayoutEmbeddedContent* layout_embedded_content = GetLayoutEmbeddedContent(); if (!layout_embedded_content) return; @@ -324,8 +323,7 @@ EmbeddedContentView* HTMLFrameOwnerElement::ReleaseEmbeddedContentView() { return nullptr; if (embedded_content_view_->IsAttached()) embedded_content_view_->DetachFromLayout(); - LayoutEmbeddedContent* layout_embedded_content = - ToLayoutEmbeddedContent(GetLayoutObject()); + LayoutEmbeddedContent* layout_embedded_content = GetLayoutEmbeddedContent(); if (layout_embedded_content) { if (AXObjectCache* cache = GetDocument().ExistingAXObjectCache()) cache->ChildrenChanged(layout_embedded_content); |