Cherry-pick security fix in WebKit change 63048. Do not merge

See http://trac.webkit.org/changeset/63048 Note that this required a manual merge as we do not have http://trac.webkit.org/changeset/59988 Bug: 2986936 Change-Id: I82617a011f68aeea953000d5487f40b32dcc7c72
author: Steve Block <steveblock@google.com> 2010-09-13 10:38:59 +0100
committer: Steve Block <steveblock@google.com> 2010-09-13 13:26:37 +0100
commit: e3a33d1e0c60357ad9f36df6e16799ddb5942917 (patch)
tree: 8b0a3e81b07a777bacd1d2ec771e67ee2f727c6b /WebCore
parent: 946ea101a7673e7f566d52b1ba81f85b75666d16 (diff)
download: external_webkit-e3a33d1e0c60357ad9f36df6e16799ddb5942917.zip
external_webkit-e3a33d1e0c60357ad9f36df6e16799ddb5942917.tar.gz
external_webkit-e3a33d1e0c60357ad9f36df6e16799ddb5942917.tar.bz2
4 files changed, 43 insertions, 6 deletions
diff --git a/WebCore/rendering/InlineFlowBox.cpp b/WebCore/rendering/InlineFlowBox.cpp
index 34eec30..abfdf5c 100644
--- a/WebCore/rendering/InlineFlowBox.cpp
+++ b/WebCore/rendering/InlineFlowBox.cpp
@@ -638,11 +638,24 @@ void InlineFlowBox::paint(RenderObject::PaintInfo& paintInfo, int tx, int ty)
             // outlines.
             if (renderer()->style()->visibility() == VISIBLE && renderer()->hasOutline() && !isRootInlineBox()) {
                 RenderInline* inlineFlow = toRenderInline(renderer());
-                if ((inlineFlow->continuation() || inlineFlow->isInlineContinuation()) && !boxModelObject()->hasSelfPaintingLayer()) {
+
+                RenderBlock* cb = 0;
+                bool containingBlockPaintsContinuationOutline = inlineFlow->continuation() || inlineFlow->isInlineContinuation();
+                if (containingBlockPaintsContinuationOutline) {
+                    cb = renderer()->containingBlock()->containingBlock();
+
+                    for (RenderBoxModelObject* box = boxModelObject(); box != cb; box = box->parent()->enclosingBoxModelObject()) {
+                        if (box->hasSelfPaintingLayer()) {
+                            containingBlockPaintsContinuationOutline = false;
+                            break;
+                        }
+                    }
+                }
+
+                if (containingBlockPaintsContinuationOutline) {
                     // Add ourselves to the containing block of the entire continuation so that it can
                     // paint us atomically.
-                    RenderBlock* block = renderer()->containingBlock()->containingBlock();
-                    block->addContinuationWithOutline(toRenderInline(renderer()->node()->renderer()));
+                    cb->addContinuationWithOutline(toRenderInline(renderer()->node()->renderer()));
                 } else if (!inlineFlow->isInlineContinuation())
                     paintInfo.outlineObjects->add(inlineFlow);
             }
diff --git a/WebCore/rendering/RenderBlock.cpp b/WebCore/rendering/RenderBlock.cpp
index eabb054..f061953 100644
--- a/WebCore/rendering/RenderBlock.cpp
+++ b/WebCore/rendering/RenderBlock.cpp
@@ -1776,8 +1776,18 @@ void RenderBlock::paintObject(PaintInfo& paintInfo, int tx, int ty)
     if ((paintPhase == PaintPhaseOutline || paintPhase == PaintPhaseChildOutlines)) {
         if (inlineContinuation() && inlineContinuation()->hasOutline() && inlineContinuation()->style()->visibility() == VISIBLE) {
             RenderInline* inlineRenderer = toRenderInline(inlineContinuation()->node()->renderer());
-            if (!inlineRenderer->hasSelfPaintingLayer())
-                containingBlock()->addContinuationWithOutline(inlineRenderer);
+            RenderBlock* cb = containingBlock();
+
+            bool inlineEnclosedInSelfPaintingLayer = false;
+            for (RenderBoxModelObject* box = inlineRenderer; box != cb; box = box->parent()->enclosingBoxModelObject()) {
+                if (box->hasSelfPaintingLayer()) {
+                    inlineEnclosedInSelfPaintingLayer = true;
+                    break;
+                }
+            }
+
+            if (!inlineEnclosedInSelfPaintingLayer)
+                cb->addContinuationWithOutline(inlineRenderer);
             else if (!inlineRenderer->firstLineBox())
                 inlineRenderer->paintOutline(paintInfo.context, tx - x() + inlineRenderer->containingBlock()->x(),
                                              ty - y() + inlineRenderer->containingBlock()->y());
diff --git a/WebCore/rendering/RenderObject.cpp b/WebCore/rendering/RenderObject.cpp
index 1d1e7c2..2013b2e 100644
--- a/WebCore/rendering/RenderObject.cpp
+++ b/WebCore/rendering/RenderObject.cpp
@@ -562,6 +562,19 @@ RenderBox* RenderObject::enclosingBox() const
     return 0;
 }
 
+RenderBoxModelObject* RenderObject::enclosingBoxModelObject() const
+{
+    RenderObject* curr = const_cast<RenderObject*>(this);
+    while (curr) {
+        if (curr->isBoxModelObject())
+            return toRenderBoxModelObject(curr);
+        curr = curr->parent();
+    }
+
+    ASSERT_NOT_REACHED();
+    return 0;
+}
+
 RenderBlock* RenderObject::firstLineBlock() const
 {
     return 0;
diff --git a/WebCore/rendering/RenderObject.h b/WebCore/rendering/RenderObject.h
index 6764818..fe839ff 100644
--- a/WebCore/rendering/RenderObject.h
+++ b/WebCore/rendering/RenderObject.h
@@ -192,7 +192,8 @@ public:
 
     // Convenience function for getting to the nearest enclosing box of a RenderObject.
     RenderBox* enclosingBox() const;
-    
+    RenderBoxModelObject* enclosingBoxModelObject() const;
+
     virtual bool isEmpty() const { return firstChild() == 0; }
 
 #ifndef NDEBUG
author	Steve Block <steveblock@google.com>	2010-09-13 10:38:59 +0100
committer	Steve Block <steveblock@google.com>	2010-09-13 13:26:37 +0100
commit	e3a33d1e0c60357ad9f36df6e16799ddb5942917 (patch)
tree	8b0a3e81b07a777bacd1d2ec771e67ee2f727c6b /WebCore
parent	946ea101a7673e7f566d52b1ba81f85b75666d16 (diff)
download	external_webkit-e3a33d1e0c60357ad9f36df6e16799ddb5942917.zip external_webkit-e3a33d1e0c60357ad9f36df6e16799ddb5942917.tar.gz external_webkit-e3a33d1e0c60357ad9f36df6e16799ddb5942917.tar.bz2