2011-06-28 Roland Steiner <rolandsteiner@chromium.org>
authorAdemar de Souza Reis Jr <ademar.reis@openbossa.org>
Wed, 29 Jun 2011 17:43:26 +0000 (14:43 -0300)
committerAdemar de Souza Reis Jr <ademar.reis@openbossa.org>
Wed, 29 Jun 2011 17:43:26 +0000 (14:43 -0300)
commitea7652b8f3a1483872d1c97f16217eb10326859d
tree48e288a48049d8c74bad59ae44acacda3691433f
parent78c01efb8d0231221eed7aebf0511ae242e3dcad
2011-06-28  Roland Steiner  <rolandsteiner@chromium.org>

        Reviewed by Eric Seidel.

        Bug 55930 - (CVE-2011-1440) Incorrect handling of 'display:' property within nested <ruby> tags
        https://bugs.webkit.org/show_bug.cgi?id=55930

        Test that a generated block child + counter within a <ruby> doesn't crash.
        (Test as provided by original reporter).

        * fast/ruby/generated-after-counter-doesnt-crash-expected.txt: Added.
        * fast/ruby/generated-after-counter-doesnt-crash.html: Added.
        * fast/ruby/generated-before-and-after-counter-doesnt-crash-expected.txt: Added.
        * fast/ruby/generated-before-and-after-counter-doesnt-crash.html: Added.
        * fast/ruby/generated-before-counter-doesnt-crash-expected.txt: Added.
        * fast/ruby/generated-before-counter-doesnt-crash.html: Added.
2011-06-28  Roland Steiner  <rolandsteiner@chromium.org>

        Reviewed by Eric Seidel.

        Bug 55930 - (CVE-2011-1440) Incorrect handling of 'display:' property within nested <ruby> tags
        https://bugs.webkit.org/show_bug.cgi?id=55930

        Don't set style type BEFORE/AFTER on anonymous wrapper block.
        Rather, check style type on generated wrapped child.

        Tests: fast/ruby/generated-after-counter-doesnt-crash.html
               fast/ruby/generated-before-and-after-counter-doesnt-crash.html
               fast/ruby/generated-before-counter-doesnt-crash.html

        * rendering/RenderRuby.cpp:
        (WebCore::isAnonymousRubyInlineBlock):
        (WebCore::isRubyBeforeBlock):
        (WebCore::isRubyAfterBlock):
        (WebCore::rubyBeforeBlock):
        (WebCore::rubyAfterBlock):
        (WebCore::createAnonymousRubyInlineBlock):
        (WebCore::RenderRubyAsInline::addChild):
        (WebCore::RenderRubyAsBlock::addChild):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@89987 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Conflicts:

Source/WebCore/rendering/RenderRuby.cpp
LayoutTests/ChangeLog
LayoutTests/fast/ruby/generated-after-counter-doesnt-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/ruby/generated-after-counter-doesnt-crash.html [new file with mode: 0644]
LayoutTests/fast/ruby/generated-before-and-after-counter-doesnt-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/ruby/generated-before-and-after-counter-doesnt-crash.html [new file with mode: 0644]
LayoutTests/fast/ruby/generated-before-counter-doesnt-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/ruby/generated-before-counter-doesnt-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderRuby.cpp