[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

inferno at chromium.org inferno at chromium.org
Wed Dec 22 13:48:30 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit 61d8dcc4370c1377c63f6ca2e6faf7f1c9597b8f
Author: inferno at chromium.org <inferno at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Mon Sep 27 18:18:54 2010 +0000

    2010-09-27  Abhishek Arya  <inferno at chromium.org>
    
            Reviewed by Dave Hyatt.
    
            Fix memory safety issue during positioning list marker as a result of assuming
            that list item's parent can always be casted to a RenderBox. The display of the parent
            can be manipluated using css as Inline which causes a bad cast.
    
            https://bugs.webkit.org/show_bug.cgi?id=46384
    
            Test: fast/lists/parent-box-not-box-crash.html
    
            * rendering/RenderListItem.cpp:
            (WebCore::RenderListItem::positionListMarker):
            * rendering/RenderListMarker.cpp:
            (WebCore::RenderListMarker::layout):
    2010-09-27  Abhishek Arya  <inferno at chromium.org>
    
            Reviewed by Dave Hyatt.
    
            Tests that positioning the list marker whose parent (child div) is not
            a box (inline because of the run-in style) does not result in crash.
            https://bugs.webkit.org/show_bug.cgi?id=46384
    
            * fast/lists/parent-box-not-box-crash-expected.txt: Added.
            * fast/lists/parent-box-not-box-crash.html: Added.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@68408 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index c92e5db..fa3d35c 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2010-09-27  Abhishek Arya  <inferno at chromium.org>
+
+        Reviewed by Dave Hyatt.
+
+        Tests that positioning the list marker whose parent (child div) is not
+        a box (inline because of the run-in style) does not result in crash.
+        https://bugs.webkit.org/show_bug.cgi?id=46384
+
+        * fast/lists/parent-box-not-box-crash-expected.txt: Added.
+        * fast/lists/parent-box-not-box-crash.html: Added.
+
 2010-09-27  Andrey Kosyakov  <caseq at chromium.org>
 
         Unreviewed.
diff --git a/LayoutTests/fast/dom/beforeload/image-object-before-load-expected.txt b/LayoutTests/fast/lists/parent-box-not-box-crash-expected.txt
similarity index 100%
copy from LayoutTests/fast/dom/beforeload/image-object-before-load-expected.txt
copy to LayoutTests/fast/lists/parent-box-not-box-crash-expected.txt
diff --git a/LayoutTests/fast/lists/parent-box-not-box-crash.html b/LayoutTests/fast/lists/parent-box-not-box-crash.html
new file mode 100644
index 0000000..1d9272b
--- /dev/null
+++ b/LayoutTests/fast/lists/parent-box-not-box-crash.html
@@ -0,0 +1,24 @@
+<html>
+    <head>
+        <style>
+            .test1 { 
+                display: list-item; 
+            }
+            .test2 { 
+                display: run-in; 
+            }
+        </style>
+        <script>
+            if (window.layoutTestController)
+                layoutTestController.dumpAsText();
+        </script>
+    </head>
+    <body>
+        <div class="test1">
+            <div class="test2">
+                PASS
+            </div>
+        <div>
+    </body>
+</html>
+
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index e897a58..71fb0c0 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,20 @@
+2010-09-27  Abhishek Arya  <inferno at chromium.org>
+
+        Reviewed by Dave Hyatt.
+
+        Fix memory safety issue during positioning list marker as a result of assuming 
+        that list item's parent can always be casted to a RenderBox. The display of the parent
+        can be manipluated using css as Inline which causes a bad cast.
+
+        https://bugs.webkit.org/show_bug.cgi?id=46384
+
+        Test: fast/lists/parent-box-not-box-crash.html
+
+        * rendering/RenderListItem.cpp:
+        (WebCore::RenderListItem::positionListMarker):
+        * rendering/RenderListMarker.cpp:
+        (WebCore::RenderListMarker::layout):
+
 2010-09-19  Martin Robinson  <mrobinson at igalia.com>
 
         Reviewed by Gustavo Noronha Silva.
diff --git a/WebCore/rendering/RenderListItem.cpp b/WebCore/rendering/RenderListItem.cpp
index 9119f84..708e4da 100644
--- a/WebCore/rendering/RenderListItem.cpp
+++ b/WebCore/rendering/RenderListItem.cpp
@@ -245,7 +245,7 @@ void RenderListItem::layout()
 
 void RenderListItem::positionListMarker()
 {
-    if (m_marker && !m_marker->isInside() && m_marker->inlineBoxWrapper()) {
+    if (m_marker && m_marker->parent()->isBox() && !m_marker->isInside() && m_marker->inlineBoxWrapper()) {
         int markerOldX = m_marker->x();
         int yOffset = 0;
         int xOffset = 0;
diff --git a/WebCore/rendering/RenderListMarker.cpp b/WebCore/rendering/RenderListMarker.cpp
index f07dfad..d9ded9d 100644
--- a/WebCore/rendering/RenderListMarker.cpp
+++ b/WebCore/rendering/RenderListMarker.cpp
@@ -1274,8 +1274,7 @@ void RenderListMarker::paint(PaintInfo& paintInfo, int tx, int ty)
 void RenderListMarker::layout()
 {
     ASSERT(needsLayout());
-    ASSERT(!preferredLogicalWidthsDirty());
-
+ 
     if (isImage()) {
         setWidth(m_image->imageSize(this, style()->effectiveZoom()).width());
         setHeight(m_image->imageSize(this, style()->effectiveZoom()).height());

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list