Diff
Modified: branches/safari-536.28-branch/LayoutTests/ChangeLog (133235 => 133236)
--- branches/safari-536.28-branch/LayoutTests/ChangeLog 2012-11-01 22:45:24 UTC (rev 133235)
+++ branches/safari-536.28-branch/LayoutTests/ChangeLog 2012-11-01 22:51:16 UTC (rev 133236)
@@ -1,5 +1,19 @@
2012-11-01 Lucas Forschler <lforsch...@apple.com>
+ Merge r124491
+
+ 2012-08-02 Abhishek Arya <infe...@chromium.org>
+
+ No isChildAllowed checked when adding RenderFullScreen as the child..
+ https://bugs.webkit.org/show_bug.cgi?id=92995
+
+ Reviewed by Eric Seidel.
+
+ * fullscreen/fullscreen-child-not-allowed-crash-expected.txt: Added.
+ * fullscreen/fullscreen-child-not-allowed-crash.html: Added.
+
+2012-11-01 Lucas Forschler <lforsch...@apple.com>
+
Merge r124258
2012-07-31 Luke Macpherson <macpher...@chromium.org>
@@ -10668,3 +10682,4 @@
.
.
.
+.
Copied: branches/safari-536.28-branch/LayoutTests/fullscreen/fullscreen-child-not-allowed-crash-expected.txt (from rev 124491, trunk/LayoutTests/fullscreen/fullscreen-child-not-allowed-crash-expected.txt) (0 => 133236)
--- branches/safari-536.28-branch/LayoutTests/fullscreen/fullscreen-child-not-allowed-crash-expected.txt (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/fullscreen/fullscreen-child-not-allowed-crash-expected.txt 2012-11-01 22:51:16 UTC (rev 133236)
@@ -0,0 +1,4 @@
+Test passes if it does not crash.
+
+END OF TEST
+
Copied: branches/safari-536.28-branch/LayoutTests/fullscreen/fullscreen-child-not-allowed-crash.html (from rev 124491, trunk/LayoutTests/fullscreen/fullscreen-child-not-allowed-crash.html) (0 => 133236)
--- branches/safari-536.28-branch/LayoutTests/fullscreen/fullscreen-child-not-allowed-crash.html (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/fullscreen/fullscreen-child-not-allowed-crash.html 2012-11-01 22:51:16 UTC (rev 133236)
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<script src=""
+<body _onload_="init()">
+<p>Test passes if it does not crash.</p>
+<div id="div1">
+<script>
+var init = function() {
+ // Bail out early if the full screen API is not enabled or is missing:
+ if (Element.prototype.webkitRequestFullScreen == undefined) {
+ logResult(false, "Element.prototype.webkitRequestFullScreen == undefined");
+ endTest();
+ } else {
+ runWithKeyDown(function() { div1.webkitRequestFullScreen() });
+ }
+
+ frameset1 = document.createElementNS("http://www.w3.org/1999/xhtml", "frameset");
+ document.body.appendChild(frameset1);
+ setTimeout("crash()", 0);
+};
+
+function crash() {
+ frameset1.appendChild(div1);
+ if (window.eventSender)
+ eventSender.keyDown("X");
+ endTest();
+}
+</script>
+</html>
Modified: branches/safari-536.28-branch/Source/WebCore/ChangeLog (133235 => 133236)
--- branches/safari-536.28-branch/Source/WebCore/ChangeLog 2012-11-01 22:45:24 UTC (rev 133235)
+++ branches/safari-536.28-branch/Source/WebCore/ChangeLog 2012-11-01 22:51:16 UTC (rev 133236)
@@ -1,5 +1,30 @@
2012-11-01 Lucas Forschler <lforsch...@apple.com>
+ Merge r124491
+
+ 2012-08-02 Abhishek Arya <infe...@chromium.org>
+
+ No isChildAllowed checked when adding RenderFullScreen as the child..
+ https://bugs.webkit.org/show_bug.cgi?id=92995
+
+ Reviewed by Eric Seidel.
+
+ Test: fullscreen/fullscreen-child-not-allowed-crash.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::webkitWillEnterFullScreenForElement): pass the object's parent
+ pointer as an additional argument.
+ * dom/NodeRenderingContext.cpp:
+ (WebCore::NodeRendererFactory::createRendererIfNeeded): pass the to be parent |parentRenderer|
+ as the argument.
+ * rendering/RenderFullScreen.cpp:
+ (RenderFullScreen::wrapRenderer): make sure that parent allows RenderFullScreen as the child.
+ * rendering/RenderFullScreen.h:
+ (RenderFullScreen): support the object's parent
+ pointer as an additional argument.
+
+2012-11-01 Lucas Forschler <lforsch...@apple.com>
+
Merge r124258
2012-07-31 Luke Macpherson <macpher...@chromium.org>
@@ -205922,3 +205947,4 @@
.
.
.
+.
Modified: branches/safari-536.28-branch/Source/WebCore/dom/Document.cpp (133235 => 133236)
--- branches/safari-536.28-branch/Source/WebCore/dom/Document.cpp 2012-11-01 22:45:24 UTC (rev 133235)
+++ branches/safari-536.28-branch/Source/WebCore/dom/Document.cpp 2012-11-01 22:51:16 UTC (rev 133236)
@@ -5576,7 +5576,7 @@
}
if (m_fullScreenElement != documentElement())
- RenderFullScreen::wrapRenderer(renderer, this);
+ RenderFullScreen::wrapRenderer(renderer, renderer ? renderer->parent() : 0, this);
m_fullScreenElement->setContainsFullScreenElementOnAncestorsCrossingFrameBoundaries(true);
Modified: branches/safari-536.28-branch/Source/WebCore/dom/NodeRenderingContext.cpp (133235 => 133236)
--- branches/safari-536.28-branch/Source/WebCore/dom/NodeRenderingContext.cpp 2012-11-01 22:45:24 UTC (rev 133235)
+++ branches/safari-536.28-branch/Source/WebCore/dom/NodeRenderingContext.cpp 2012-11-01 22:51:16 UTC (rev 133236)
@@ -398,7 +398,7 @@
#if ENABLE(FULLSCREEN_API)
if (document->webkitIsFullScreen() && document->webkitCurrentFullScreenElement() == node)
- newRenderer = RenderFullScreen::wrapRenderer(newRenderer, document);
+ newRenderer = RenderFullScreen::wrapRenderer(newRenderer, parentRenderer, document);
#endif
if (!newRenderer)
Modified: branches/safari-536.28-branch/Source/WebCore/rendering/RenderFullScreen.cpp (133235 => 133236)
--- branches/safari-536.28-branch/Source/WebCore/rendering/RenderFullScreen.cpp 2012-11-01 22:45:24 UTC (rev 133235)
+++ branches/safari-536.28-branch/Source/WebCore/rendering/RenderFullScreen.cpp 2012-11-01 22:51:16 UTC (rev 133236)
@@ -105,11 +105,17 @@
return fullscreenStyle.release();
}
-RenderObject* RenderFullScreen::wrapRenderer(RenderObject* object, Document* document)
+RenderObject* RenderFullScreen::wrapRenderer(RenderObject* object, RenderObject* parent, Document* document)
{
RenderFullScreen* fullscreenRenderer = new (document->renderArena()) RenderFullScreen(document);
fullscreenRenderer->setStyle(createFullScreenStyle());
+ if (parent && !parent->isChildAllowed(fullscreenRenderer, fullscreenRenderer->style())) {
+ fullscreenRenderer->destroy();
+ return 0;
+ }
if (object) {
+ // |object->parent()| can be null if the object is not yet attached
+ // to |parent|.
if (RenderObject* parent = object->parent()) {
parent->addChild(fullscreenRenderer, object);
object->remove();
Modified: branches/safari-536.28-branch/Source/WebCore/rendering/RenderFullScreen.h (133235 => 133236)
--- branches/safari-536.28-branch/Source/WebCore/rendering/RenderFullScreen.h 2012-11-01 22:45:24 UTC (rev 133235)
+++ branches/safari-536.28-branch/Source/WebCore/rendering/RenderFullScreen.h 2012-11-01 22:51:16 UTC (rev 133236)
@@ -42,7 +42,7 @@
void createPlaceholder(PassRefPtr<RenderStyle>, const LayoutRect& frameRect);
- static RenderObject* wrapRenderer(RenderObject* renderer, Document*);
+ static RenderObject* wrapRenderer(RenderObject*, RenderObject*, Document*);
void unwrapRenderer();
private:
