The Vulnerability History Project

Warning: Our website does not support Internet Explorer, please use Edge instead.

Fix crash in SVGFontFaceElement::associatedFontElement crash when removing SVGFontFaceElement.

      (1) We need to remove its font-face rule from FontCache when removing SVGFontFaceElement,

(2) We should not use old styles in RenderSVGInlineText::styleDidChange.
Since styleRecalc is done in document-order, we cannot see any styles of next renderer
(obtained by nextInPreOrder).
The old styles might have old fonts which are created by SVGFontFaceElement.

BUG=346192
TEST=fast/dom/discard-svg-font-face-crash.svg

Review URL: https://codereview.chromium.org/176853009

git-svn-id: svn://svn.chromium.org/blink/trunk@167993 bbb929c8-8fbe-4397-9dbb-9b2b20218538

by Antoinette the Moth 2014-02-27 08:37:53 UTC

commit 9f88c15fbcd76321cfeedf3f4792534cb6041c4e

Chromium Fix CVE-2014-1745

third_party/WebKit/LayoutTests/fast/dom/discard-svg-font-face-crash-expected.svg

-9

third_party/WebKit/LayoutTests/fast/dom/discard-svg-font-face-crash.svg

-15

third_party/WebKit/Source/core/rendering/svg/RenderSVGInlineText.cpp

+1 -1

third_party/WebKit/Source/core/rendering/svg/RenderSVGText.cpp

+3 -5

third_party/WebKit/Source/core/rendering/svg/RenderSVGText.h

+1 -1

third_party/WebKit/Source/core/svg/SVGFontFaceElement.cpp

-3