diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-10-17 11:54:48 +0200 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-10-21 08:14:21 +0000 |
commit | 9e3becc64121024e092d03d869886ac2c3619d79 (patch) | |
tree | 31670e9bfc0822842bcc1d5a8e99a0cdf306fa6c | |
parent | 4e50fd02436d680ed6bcd1531beb4aa814a755f1 (diff) | |
download | qtwebengine-chromium-9e3becc64121024e092d03d869886ac2c3619d79.tar.gz |
[Backport] Security issue 979373
Refactor computing the last box in CreateLineBoxes
This patch refactors so that:
a. Clarify which of the or-ed DCHECK fail.
b. If |line_layout_item| is a |LayoutBlockFlow| that is not
|this|, degrades SECURITY_DCHECK to DCHECK. We have wrong
object, but it's not a bad cast.
c. If |line_layout_item| is neither |LayoutInline| nor
|LayoutBlockFlow|, the |LineLayoutBlockFlow| constructor
has SECURITY_DCHECK.
This is a speculative fix as I was unable to reproduce.
Bug: 979373
Change-Id: Ib148009f8bdea7b599be160af72a48c86bc73d7c
Commit-Queue: Emil A Eklund <eae@chromium.org>
Reviewed-by: Emil A Eklund <eae@chromium.org>
Cr-Commit-Position: refs/heads/master@{#676079}
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
-rw-r--r-- | chromium/third_party/blink/renderer/core/layout/layout_block_flow_line.cc | 21 |
1 files changed, 10 insertions, 11 deletions
diff --git a/chromium/third_party/blink/renderer/core/layout/layout_block_flow_line.cc b/chromium/third_party/blink/renderer/core/layout/layout_block_flow_line.cc index 71564c59ef3..c60cba3e0a8 100644 --- a/chromium/third_party/blink/renderer/core/layout/layout_block_flow_line.cc +++ b/chromium/third_party/blink/renderer/core/layout/layout_block_flow_line.cc @@ -196,16 +196,17 @@ InlineFlowBox* LayoutBlockFlow::CreateLineBoxes(LineLayoutItem line_layout_item, line_layout_item = LineLayoutItem(this); } - SECURITY_DCHECK(line_layout_item.IsLayoutInline() || - line_layout_item.IsEqual(this)); - - LineLayoutInline inline_flow( - !line_layout_item.IsEqual(this) ? line_layout_item : nullptr); - // Get the last box we made for this layout object. - parent_box = inline_flow - ? inline_flow.LastLineBox() - : LineLayoutBlockFlow(line_layout_item).LastLineBox(); + bool allowed_to_construct_new_box; + if (line_layout_item.IsLayoutInline()) { + LineLayoutInline inline_flow(line_layout_item); + parent_box = inline_flow.LastLineBox(); + allowed_to_construct_new_box = inline_flow.AlwaysCreateLineBoxes(); + } else { + DCHECK(line_layout_item.IsEqual(this)); + parent_box = LineLayoutBlockFlow(line_layout_item).LastLineBox(); + allowed_to_construct_new_box = true; + } // If this box or its ancestor is constructed then it is from a previous // line, and we need to make a new box for our line. If this box or its @@ -214,8 +215,6 @@ InlineFlowBox* LayoutBlockFlow::CreateLineBoxes(LineLayoutItem line_layout_item, // inline has actually been split in two on the same line (this can happen // with very fancy language mixtures). bool constructed_new_box = false; - bool allowed_to_construct_new_box = - !inline_flow || inline_flow.AlwaysCreateLineBoxes(); bool can_use_existing_parent_box = parent_box && !ParentIsConstructedOrHaveNext(parent_box); if (allowed_to_construct_new_box && !can_use_existing_parent_box) { |