angler-fishThe Vulnerability History Project

Prevent RenderMarquee from causing a relayout.

      In some circumstances, RenderMarquee can cause a relayout which ends up
deleting the calling RenderMarquee. The underlying problem is that layout
shouldn't be triggered like this through the Render tree.

This CL solves the problem by changing RenderMarquee's timer callback to
HTMLMarqueeElement::timerFired, where we can trigger layout before calling
into the RenderMarquee so that there is no layout to be done in the Render
tree.

This is a cleaner alternative to the fix in
https://codereview.chromium.org/91743003/.

BUG=322891

Review URL: https://codereview.chromium.org/128503002

git-svn-id: svn://svn.chromium.org/blink/trunk@164784 bbb929c8-8fbe-4397-9dbb-9b2b20218538
by Roberto the Vervet Monkey 2014-01-09 16:01:46 UTC
commit f93f09e95fad7fb4bdb54035159183104183ac6c
Chromium Fix CVE-2013-6658
third_party/WebKit/Source/core/html/HTMLMarqueeElement.cpp
-12
third_party/WebKit/Source/core/html/HTMLMarqueeElement.h
-2
third_party/WebKit/Source/core/rendering/RenderMarquee.cpp
+3 -3
third_party/WebKit/Source/core/rendering/RenderMarquee.h
+4 -5
expand_less