From dcf6019729ecdd93568a32ef625e2e88294ea66c Mon Sep 17 00:00:00 2001 From: Milan Burda Date: Sat, 1 Jun 2019 22:43:38 +0200 Subject: [PATCH] fix: SVG crash for v0 distribution into foreignObject. --- patches/common/chromium/.patches | 1 + ...r_v0_distribution_into_foreignobject.patch | 63 +++++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 patches/common/chromium/fix_svg_crash_for_v0_distribution_into_foreignobject.patch diff --git a/patches/common/chromium/.patches b/patches/common/chromium/.patches index 6bd488631d24e..eae72488eeeab 100644 --- a/patches/common/chromium/.patches +++ b/patches/common/chromium/.patches @@ -102,3 +102,4 @@ fix_re-entracy_problem_with_invalidateframesinkid.patch chore_expose_getcontentclient_to_embedders.patch tabbed_window_lagging.patch restore_live_region_changed_events_for_processing_by_jaws_focus_mode.patch +fix_svg_crash_for_v0_distribution_into_foreignobject.patch diff --git a/patches/common/chromium/fix_svg_crash_for_v0_distribution_into_foreignobject.patch b/patches/common/chromium/fix_svg_crash_for_v0_distribution_into_foreignobject.patch new file mode 100644 index 0000000000000..beb9ad65dde41 --- /dev/null +++ b/patches/common/chromium/fix_svg_crash_for_v0_distribution_into_foreignobject.patch @@ -0,0 +1,63 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Rune Lillesveen +Date: Tue, 18 Dec 2018 14:45:19 +0000 +Subject: Fix SVG crash for v0 distribution into foreignObject. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We require a parent element to be an SVG element for non-svg-root +elements in order to create a LayoutObject for them. However, we checked +the light tree parent element, not the flat tree one which is the parent +for the layout tree construction. Note that this is just an issue in +Shadow DOM v0 since v1 does not allow shadow roots on SVG elements. + +Bug: 915469 +Change-Id: Id81843abad08814fae747b5bc81c09666583f130 +Reviewed-on: https://chromium-review.googlesource.com/c/1382494 +Reviewed-by: Fredrik Söderquist +Commit-Queue: Rune Lillesveen +Cr-Commit-Position: refs/heads/master@{#617487} + +diff --git a/third_party/WebKit/LayoutTests/svg/foreignObject/shadow-dom-v0-crash.html b/third_party/WebKit/LayoutTests/svg/foreignObject/shadow-dom-v0-crash.html +new file mode 100644 +index 0000000000000000000000000000000000000000..44ac3b0540b8f5a816a67b5be382b179623bd0cd +--- /dev/null ++++ b/third_party/WebKit/LayoutTests/svg/foreignObject/shadow-dom-v0-crash.html +@@ -0,0 +1,11 @@ ++ ++ ++ ++

PASS if no crash or DCHECK failure.

++ ++ +diff --git a/third_party/blink/renderer/core/svg/svg_element.cc b/third_party/blink/renderer/core/svg/svg_element.cc +index e9a1fd9dd0ef6975cbc3e0967e8b0e9c8362b7a1..6af7df47e3502903346c4509c6fd080ef6d071ef 100644 +--- a/third_party/blink/renderer/core/svg/svg_element.cc ++++ b/third_party/blink/renderer/core/svg/svg_element.cc +@@ -37,6 +37,7 @@ + #include "third_party/blink/renderer/core/dom/document.h" + #include "third_party/blink/renderer/core/dom/element_traversal.h" + #include "third_party/blink/renderer/core/dom/events/event.h" ++#include "third_party/blink/renderer/core/dom/flat_tree_traversal.h" + #include "third_party/blink/renderer/core/dom/node_computed_style.h" + #include "third_party/blink/renderer/core/dom/shadow_root.h" + #include "third_party/blink/renderer/core/frame/csp/content_security_policy.h" +@@ -1047,10 +1048,8 @@ bool SVGElement::LayoutObjectIsNeeded(const ComputedStyle& style) const { + } + + bool SVGElement::HasSVGParent() const { +- // Should we use the flat tree parent instead? If so, we should probably fix a +- // few other checks. +- return ParentOrShadowHostElement() && +- ParentOrShadowHostElement()->IsSVGElement(); ++ Element* parent = FlatTreeTraversal::ParentElement(*this); ++ return parent && parent->IsSVGElement(); + } + + MutableCSSPropertyValueSet* SVGElement::AnimatedSMILStyleProperties() const {