diff options
| author | Zakhar Voit <voit@google.com> | 2021-09-16 11:29:42 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2021-11-10 18:26:05 +0000 |
| commit | d1aade545636a1e533da6d307957768f1145c092 (patch) | |
| tree | 8b31d91e843c4b37eaa30ca28832de010aadc069 | |
| parent | 40e1edf940d1364488f26f539ce39099234704cf (diff) | |
| download | qtwebengine-chromium-d1aade545636a1e533da6d307957768f1145c092.tar.gz | |
[Backport] CVE-2021-30627: Type Confusion in Blink layout
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3160014:
[M90-LTS] [layout] Remove limit from LayoutInline::SplitInlines.
After 200 elements the code "gave up" causing the layout tree to be
"strange".
This caused a To<LayoutInline> to fail in the OOF code. Relaxing this
To<> to a DynamicTo<> caused additional CHECKs / DCHECKs all over the
place (not just in NG but in Legacy as well).
This patch removes the limit at which we "give up". This may cause
additional render hangs.
However we currently have a project "block-in-inline" which will (for
most cases) stop inline-splitting for occuring (except in legacy
fallback).
(cherry picked from commit bbd315efb49a4ae257509dd0f0d85c6b5906e0e4)
Bug: 1245786
Change-Id: I5f1c4d6a4b81a8345974de40c0c50a27a839b7b4
Commit-Queue: Ian Kilpatrick <ikilpatrick@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#917771}
Reviewed-by: Jana Grill <janagrill@google.com>
Owners-Override: Jana Grill <janagrill@google.com>
Commit-Queue: Zakhar Voit <voit@google.com>
Cr-Commit-Position: refs/branch-heads/4430@{#1606}
Cr-Branched-From: e5ce7dc4f7518237b3d9bb93cccca35d25216cbe-refs/heads/master@{#857950}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/third_party/blink/renderer/core/layout/layout_inline.cc | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/chromium/third_party/blink/renderer/core/layout/layout_inline.cc b/chromium/third_party/blink/renderer/core/layout/layout_inline.cc index e287ac7b2a5..d9ed03445c8 100644 --- a/chromium/third_party/blink/renderer/core/layout/layout_inline.cc +++ b/chromium/third_party/blink/renderer/core/layout/layout_inline.cc @@ -453,13 +453,11 @@ void LayoutInline::SplitInlines(LayoutBlockFlow* from_block, // nest to a much greater depth (see bugzilla bug 13430) but for now we have a // limit. This *will* result in incorrect rendering, but the alternative is to // hang forever. - const unsigned kCMaxSplitDepth = 200; Vector<LayoutInline*> inlines_to_clone; LayoutInline* top_most_inline = this; for (LayoutObject* o = this; o != from_block; o = o->Parent()) { top_most_inline = ToLayoutInline(o); - if (inlines_to_clone.size() < kCMaxSplitDepth) - inlines_to_clone.push_back(top_most_inline); + inlines_to_clone.push_back(top_most_inline); // Keep walking up the chain to ensure |topMostInline| is a child of // |fromBlock|, to avoid assertion failure when |fromBlock|'s children are // moved to |toBlock| below. |