https://bugs.webkit.org/show_bug.cgi?id=60778
authorDavid Hyatt <hyatt@apple.com>
Tue, 26 Jul 2011 20:39:25 +0000 (20:39 +0000)
committerAdemar de Souza Reis Jr <ademar.reis@openbossa.org>
Thu, 28 Jul 2011 20:59:09 +0000 (17:59 -0300)
commita7ba52c323132461dab4af616271bab75c2ffd57
tree3648b93ad2470101c3251485bf8f33731e142955
parent5b3a2e737ab323b012d9dbca05effdce044e360b
https://bugs.webkit.org/show_bug.cgi?id=60778

Use after free because of line box culling optimization regression.

In the case of a child with no line box being removed (typically
a <br> in quirks mode), if there is no previous sibling with a line
box, then we have a potential problem with the culling optimization.

The culled inline may still have other leaf line box children, but
they may follow the removed <br>. In this case we can't rely on
them, since we need a line box that comes before the <br>.

The fix is to simply recur up to the parent if we are a culled inline
and could not find a previous line box.

Reviewed by Dan Bernstein.

Added editing/execCommand/crash-line-break-after-outdent.html

Source/WebCore:

* rendering/RenderLineBoxList.cpp:
(WebCore::RenderLineBoxList::dirtyLinesFromChangedChild):

LayoutTests:

* editing/execCommand/crash-line-break-after-outdent-expected.txt: Added.
* editing/execCommand/crash-line-break-after-outdent.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@91781 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/editing/execCommand/crash-line-break-after-outdent-expected.txt [new file with mode: 0644]
LayoutTests/editing/execCommand/crash-line-break-after-outdent.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderLineBoxList.cpp