Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(186)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/rendering/RenderBlock.cpp

Issue 13852041: Harden column splitting code against bad casts. Make sure that |curr| is a descendant of |fromBlock… (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: Created 7 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
3 * (C) 1999 Antti Koivisto (koivisto@kde.org) 3 * (C) 1999 Antti Koivisto (koivisto@kde.org)
4 * (C) 2007 David Smith (catfish.man@gmail.com) 4 * (C) 2007 David Smith (catfish.man@gmail.com)
5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved. 5 * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved.
6 * Copyright (C) Research In Motion Limited 2010. All rights reserved. 6 * Copyright (C) Research In Motion Limited 2010. All rights reserved.
7 * 7 *
8 * This library is free software; you can redistribute it and/or 8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Library General Public 9 * modify it under the terms of the GNU Library General Public
10 * License as published by the Free Software Foundation; either 10 * License as published by the Free Software Foundation; either
(...skipping 607 matching lines...) Expand 10 before | Expand all | Expand 10 after
618 if (!cloneBlock->isAnonymousBlock()) 618 if (!cloneBlock->isAnonymousBlock())
619 middleBlock->setContinuation(cloneBlock); 619 middleBlock->setContinuation(cloneBlock);
620 620
621 // We have been reparented and are now under the fromBlock. We need 621 // We have been reparented and are now under the fromBlock. We need
622 // to walk up our block parent chain until we hit the containing anonymous c olumns block. 622 // to walk up our block parent chain until we hit the containing anonymous c olumns block.
623 // Once we hit the anonymous columns block we're done. 623 // Once we hit the anonymous columns block we're done.
624 RenderBoxModelObject* curr = toRenderBoxModelObject(parent()); 624 RenderBoxModelObject* curr = toRenderBoxModelObject(parent());
625 RenderBoxModelObject* currChild = this; 625 RenderBoxModelObject* currChild = this;
626 RenderObject* currChildNextSibling = currChild->nextSibling(); 626 RenderObject* currChildNextSibling = currChild->nextSibling();
627 627
628 while (curr && curr != fromBlock) { 628 while (curr && curr->isDescendantOf(fromBlock) && curr != fromBlock) {
esprehn 2013/04/19 21:24:52 This isn't right. The loop is going from curr thro
629 ASSERT_WITH_SECURITY_IMPLICATION(curr->isRenderBlock()); 629 ASSERT_WITH_SECURITY_IMPLICATION(curr->isRenderBlock());
630 630
631 RenderBlock* blockCurr = toRenderBlock(curr); 631 RenderBlock* blockCurr = toRenderBlock(curr);
632 632
633 // Create a new clone. 633 // Create a new clone.
634 RenderBlock* cloneChild = cloneBlock; 634 RenderBlock* cloneChild = cloneBlock;
635 cloneBlock = blockCurr->clone(); 635 cloneBlock = blockCurr->clone();
636 636
637 // Insert our child clone as the first child. 637 // Insert our child clone as the first child.
638 cloneBlock->addChildIgnoringContinuation(cloneChild, 0); 638 cloneBlock->addChildIgnoringContinuation(cloneChild, 0);
(...skipping 7473 matching lines...) Expand 10 before | Expand all | Expand 10 after
8112 { 8112 {
8113 memoryInstrumentation->addRootObject(gColumnInfoMap, WebCoreMemoryTypes::Ren deringStructures); 8113 memoryInstrumentation->addRootObject(gColumnInfoMap, WebCoreMemoryTypes::Ren deringStructures);
8114 memoryInstrumentation->addRootObject(gPositionedDescendantsMap, WebCoreMemor yTypes::RenderingStructures); 8114 memoryInstrumentation->addRootObject(gPositionedDescendantsMap, WebCoreMemor yTypes::RenderingStructures);
8115 memoryInstrumentation->addRootObject(gPercentHeightDescendantsMap, WebCoreMe moryTypes::RenderingStructures); 8115 memoryInstrumentation->addRootObject(gPercentHeightDescendantsMap, WebCoreMe moryTypes::RenderingStructures);
8116 memoryInstrumentation->addRootObject(gPositionedContainerMap, WebCoreMemoryT ypes::RenderingStructures); 8116 memoryInstrumentation->addRootObject(gPositionedContainerMap, WebCoreMemoryT ypes::RenderingStructures);
8117 memoryInstrumentation->addRootObject(gPercentHeightContainerMap, WebCoreMemo ryTypes::RenderingStructures); 8117 memoryInstrumentation->addRootObject(gPercentHeightContainerMap, WebCoreMemo ryTypes::RenderingStructures);
8118 memoryInstrumentation->addRootObject(gDelayedUpdateScrollInfoSet, WebCoreMem oryTypes::RenderingStructures); 8118 memoryInstrumentation->addRootObject(gDelayedUpdateScrollInfoSet, WebCoreMem oryTypes::RenderingStructures);
8119 } 8119 }
8120 8120
8121 } // namespace WebCore 8121 } // namespace WebCore
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698