The Vulnerability History Project

Fix the use of stale text fragments

      https://bugs.webkit.org/show_bug.cgi?id=80729

Patch by Philip Rogers <pdr@google.com> on 2012-03-13
Reviewed by Nikolas Zimmermann.

Source/WebCore: 

Previously, we were allowing SVGTextFragments to get out of sync with the
actual text in RenderSVGInlineTextBox. This patch reuses the dirty line
box code in RenderText::setTextWithOffset to force
clearTextFragments() when setTextWithOffset is called, preventing the use
of stale SVGTextFragments.

Test: svg/custom/delete-text-crash.html

* rendering/InlineBox.h:
(InlineBox):
* rendering/svg/SVGInlineTextBox.cpp:
(WebCore::SVGInlineTextBox::dirtyLineBoxes):
(WebCore):
* rendering/svg/SVGInlineTextBox.h:
(SVGInlineTextBox):

LayoutTests: 

* svg/custom/delete-text-crash-expected.png: Added.
* svg/custom/delete-text-crash-expected.txt: Added.
* svg/custom/delete-text-crash.html: Added.


git-svn-id: svn://svn.chromium.org/blink/trunk@110593 bbb929c8-8fbe-4397-9dbb-9b2b20218538

by Jennifer the Fox 2012-03-13 19:48:20 UTC

commit 945781c049e396709046aa16636a523b67b153f6

Chromium VCC CVE-2013-2875

third_party/WebKit/LayoutTests/ChangeLog

-11

third_party/WebKit/LayoutTests/svg/custom/delete-text-crash-expected.png

third_party/WebKit/LayoutTests/svg/custom/delete-text-crash-expected.txt

-14

third_party/WebKit/LayoutTests/svg/custom/delete-text-crash.html

-33

third_party/WebKit/Source/WebCore/ChangeLog

-23

third_party/WebKit/Source/WebCore/rendering/InlineBox.h

+1 -1

third_party/WebKit/Source/WebCore/rendering/svg/SVGInlineTextBox.cpp

-8

third_party/WebKit/Source/WebCore/rendering/svg/SVGInlineTextBox.h

-2