[webkit-changes] [204722] releases/WebKitGTK/webkit-2.12/Source/WebCore

[carlosgc]

Title: [204722] releases/WebKitGTK/webkit-2.12/Source/WebCore

Revision

204722

Author

carlo...@webkit.org

Date

2016-08-22 09:19:20 -0700 (Mon, 22 Aug 2016)

Log Message

Merge r202177 - Potential null dereferencing on a detached positioned renderer.
https://bugs.webkit.org/show_bug.cgi?id=158879

Reviewed by Simon Fraser.

This patch fixes the case when the while loop to search for the absolute positioned ancestor
returns null (it happens when positioned renderer has been detached from the render tree).

Speculative fix.

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::markFixedPositionObjectForLayoutIfNeeded):
* rendering/RenderBlock.h:

Modified Paths

• releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog
• releases/WebKitGTK/webkit-2.12/Source/WebCore/rendering/RenderBlock.cpp
• releases/WebKitGTK/webkit-2.12/Source/WebCore/rendering/RenderBlock.h

Diff

Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog (204721 => 204722)

--- releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog	2016-08-22 16:18:09 UTC (rev 204721)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog	2016-08-22 16:19:20 UTC (rev 204722)
@@ -1,3 +1,19 @@
+2016-06-17  Zalan Bujtas  <za...@apple.com>
+
+        Potential null dereferencing on a detached positioned renderer.
+        https://bugs.webkit.org/show_bug.cgi?id=158879
+
+        Reviewed by Simon Fraser.
+
+        This patch fixes the case when the while loop to search for the absolute positioned ancestor
+        returns null (it happens when positioned renderer has been detached from the render tree).
+
+        Speculative fix.
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::markFixedPositionObjectForLayoutIfNeeded):
+        * rendering/RenderBlock.h:
+
 2016-06-27  Philippe Normand  <ph...@igalia.com>
 
         [GStreamer] top/bottom black bars added needlessly in fullscreen

Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/rendering/RenderBlock.cpp (204721 => 204722)

--- releases/WebKitGTK/webkit-2.12/Source/WebCore/rendering/RenderBlock.cpp	2016-08-22 16:18:09 UTC (rev 204721)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/rendering/RenderBlock.cpp	2016-08-22 16:19:20 UTC (rev 204722)
@@ -1264,34 +1264,33 @@
     return true;
 }
 
-void RenderBlock::markFixedPositionObjectForLayoutIfNeeded(RenderObject& child)
+void RenderBlock::markFixedPositionObjectForLayoutIfNeeded(RenderBox& positionedChild)
 {
-    if (child.style().position() != FixedPosition)
+    if (positionedChild.style().position() != FixedPosition)
         return;
 
-    bool hasStaticBlockPosition = child.style().hasStaticBlockPosition(isHorizontalWritingMode());
-    bool hasStaticInlinePosition = child.style().hasStaticInlinePosition(isHorizontalWritingMode());
+    bool hasStaticBlockPosition = positionedChild.style().hasStaticBlockPosition(isHorizontalWritingMode());
+    bool hasStaticInlinePosition = positionedChild.style().hasStaticInlinePosition(isHorizontalWritingMode());
     if (!hasStaticBlockPosition && !hasStaticInlinePosition)
         return;
 
-    auto o = child.parent();
-    while (o && !is<RenderView>(*o) && o->style().position() != AbsolutePosition)
-        o = o->parent();
-    if (o->style().position() != AbsolutePosition)
+    auto* parent = positionedChild.parent();
+    while (parent && !is<RenderView>(*parent) && parent->style().position() != AbsolutePosition)
+        parent = parent->parent();
+    if (!parent || parent->style().position() != AbsolutePosition)
         return;
 
-    auto& box = downcast<RenderBox>(child);
     if (hasStaticInlinePosition) {
         LogicalExtentComputedValues computedValues;
-        box.computeLogicalWidthInRegion(computedValues);
+        positionedChild.computeLogicalWidthInRegion(computedValues);
         LayoutUnit newLeft = computedValues.m_position;
-        if (newLeft != box.logicalLeft())
-            box.setChildNeedsLayout(MarkOnlyThis);
+        if (newLeft != positionedChild.logicalLeft())
+            positionedChild.setChildNeedsLayout(MarkOnlyThis);
     } else if (hasStaticBlockPosition) {
-        LayoutUnit oldTop = box.logicalTop();
-        box.updateLogicalHeight();
-        if (box.logicalTop() != oldTop)
-            box.setChildNeedsLayout(MarkOnlyThis);
+        LayoutUnit oldTop = positionedChild.logicalTop();
+        positionedChild.updateLogicalHeight();
+        if (positionedChild.logicalTop() != oldTop)
+            positionedChild.setChildNeedsLayout(MarkOnlyThis);
     }
 }
 

Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/rendering/RenderBlock.h (204721 => 204722)

--- releases/WebKitGTK/webkit-2.12/Source/WebCore/rendering/RenderBlock.h	2016-08-22 16:18:09 UTC (rev 204721)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/rendering/RenderBlock.h	2016-08-22 16:19:20 UTC (rev 204722)
@@ -316,7 +316,7 @@
     void layoutPositionedObjects(bool relayoutChildren, bool fixedPositionObjectsOnly = false);
     virtual void layoutPositionedObject(RenderBox&, bool relayoutChildren, bool fixedPositionObjectsOnly);
     
-    void markFixedPositionObjectForLayoutIfNeeded(RenderObject& child);
+    void markFixedPositionObjectForLayoutIfNeeded(RenderBox& child);
 
     LayoutUnit marginIntrinsicLogicalWidthForChild(RenderBox&) const;
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes