RESOLVED FIXED 159605
CVE-2016-4766 Fix LogicalSelectionOffsetCaches to work with detached render tree. 
https://bugs.webkit.org/show_bug.cgi?id=159605
Summary Fix LogicalSelectionOffsetCaches to work with detached render tree.
zalan
Reported 2016-07-09 12:53:33 PDT
rdar://problem/27248845
Attachments
Patch (7.47 KB, patch)
2016-07-09 18:15 PDT, zalan 		no flags
DetailsFormatted DiffDiff
Patch (7.47 KB, patch)
2016-07-09 18:34 PDT, zalan 		bfulgham: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
zalan
Comment 1 2016-07-09 18:15:43 PDT
Created attachment 283275 [details] Patch
David Kilzer (:ddkilzer)
Comment 2 2016-07-09 18:32:57 PDT
Comment on attachment 283275 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=283275&action=review > Source/WebCore/ChangeLog:15 > + it can also handle renderes that are no longer part of the render tree. Typo: renderes => renderers
zalan
Comment 3 2016-07-09 18:34:37 PDT
Created attachment 283276 [details] Patch
Brent Fulgham
Comment 4 2016-07-09 22:35:53 PDT
Comment on attachment 283276 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=283276&action=review Thank you for fixing this! R=me > Source/WebCore/rendering/LogicalSelectionOffsetCaches.h:53 > + m_logicalLeftSelectionOffset = m_block ? m_block->logicalLeftSelectionOffset(rootBlock, position, *m_cache) : LayoutUnit(0); Don't LayoutUnits default construct to zero?
zalan
Comment 5 2016-07-10 20:59:35 PDT
Committed r203045: <http://trac.webkit.org/changeset/203045>
zalan
Comment 6 2016-07-10 21:01:25 PDT
(In reply to comment #4) > Comment on attachment 283276 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=283276&action=review > > Thank you for fixing this! R=me > > > Source/WebCore/rendering/LogicalSelectionOffsetCaches.h:53 > > + m_logicalLeftSelectionOffset = m_block ? m_block->logicalLeftSelectionOffset(rootBlock, position, *m_cache) : LayoutUnit(0); > > Don't LayoutUnits default construct to zero? I was meant to say LayoutUnit::fromPixel(0);
Note You need to log in before you can comment on or make changes to this bug.