From f8e83e7e6dacb7fe00ccb52f62af634bc05dbdfc Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Sat, 1 Dec 2018 12:05:45 +0100 Subject: Limit the CSS string length for resolved variables to sane values. This resolves #891 --- layout/style/nsCSSParser.cpp | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'layout') diff --git a/layout/style/nsCSSParser.cpp b/layout/style/nsCSSParser.cpp index b361cf0c2..33e5fe56d 100644 --- a/layout/style/nsCSSParser.cpp +++ b/layout/style/nsCSSParser.cpp @@ -1549,6 +1549,9 @@ protected: // All data from successfully parsed properties are placed into |mData|. nsCSSExpandedDataBlock mData; + + // Value to make sure our resolved variable results stay within sane limits. + const int32_t MAX_CSS_VAR_LENGTH = 10240; public: // Used from nsCSSParser constructors and destructors @@ -2802,6 +2805,12 @@ CSSParserImpl::ResolveValueWithVariableReferencesRec( // Invalid variable with no fallback. return false; } + // Make sure we are still using sane sizes for value and + // variableValue, and abort if OOB. + if (value.Length() > MAX_CSS_VAR_LENGTH || + variableValue.Length() > MAX_CSS_VAR_LENGTH) { + return false; + } // Valid variable with no fallback. AppendTokens(value, valueFirstToken, valueLastToken, varFirstToken, varLastToken, variableValue); -- cgit v1.2.3 From 96258a022a7daee9606249beda61b1dc5d0eed2c Mon Sep 17 00:00:00 2001 From: trav90 Date: Sun, 9 Dec 2018 09:45:24 -0600 Subject: Only disallow lazy frame construction for direct children of display: contents elements --- layout/base/nsCSSFrameConstructor.cpp | 16 ++++++++++------ .../display-contents-dyn-insert-text-ref.html | 7 +++++++ .../css-display/display-contents-dyn-insert-text.html | 16 ++++++++++++++++ layout/reftests/css-display/reftest.list | 1 + 4 files changed, 34 insertions(+), 6 deletions(-) create mode 100644 layout/reftests/css-display/display-contents-dyn-insert-text-ref.html create mode 100644 layout/reftests/css-display/display-contents-dyn-insert-text.html (limited to 'layout') diff --git a/layout/base/nsCSSFrameConstructor.cpp b/layout/base/nsCSSFrameConstructor.cpp index c63374541..07a5b80e7 100644 --- a/layout/base/nsCSSFrameConstructor.cpp +++ b/layout/base/nsCSSFrameConstructor.cpp @@ -7021,8 +7021,11 @@ nsCSSFrameConstructor::MaybeConstructLazily(Operation aOperation, nsIContent* aContainer, nsIContent* aChild) { + // XXXmats no lazy frames for display:contents direct descendants yet + // (Mozilla bug 979782). if (mPresShell->GetPresContext()->IsChrome() || !aContainer || - aContainer->IsInNativeAnonymousSubtree() || aContainer->IsXULElement()) { + aContainer->IsInNativeAnonymousSubtree() || aContainer->IsXULElement() || + GetDisplayContentsStyleFor(aContainer)) { return false; } @@ -7056,6 +7059,10 @@ nsCSSFrameConstructor::MaybeConstructLazily(Operation aOperation, // ignore anonymous children (eg framesets) make this complicated. So we set // these two booleans if we encounter these situations and unset them if we // hit a node with a leaf frame. + // + // Also, it's fine if one of the nodes without primary frame is a display: + // contents node except if it's the direct ancestor of the children we're + // recreating frames for. bool noPrimaryFrame = false; bool needsFrameBitSet = false; #endif @@ -7065,17 +7072,14 @@ nsCSSFrameConstructor::MaybeConstructLazily(Operation aOperation, if (content->GetPrimaryFrame() && content->GetPrimaryFrame()->IsLeaf()) { noPrimaryFrame = needsFrameBitSet = false; } - if (!noPrimaryFrame && !content->GetPrimaryFrame()) { + if (!noPrimaryFrame && !content->GetPrimaryFrame() && + !GetDisplayContentsStyleFor(content)) { noPrimaryFrame = true; } if (!needsFrameBitSet && content->HasFlag(NODE_NEEDS_FRAME)) { needsFrameBitSet = true; } #endif - // XXXmats no lazy frames for display:contents descendants yet (bug 979782). - if (GetDisplayContentsStyleFor(content)) { - return false; - } content->SetFlags(NODE_DESCENDANTS_NEED_FRAMES); content = content->GetFlattenedTreeParent(); } diff --git a/layout/reftests/css-display/display-contents-dyn-insert-text-ref.html b/layout/reftests/css-display/display-contents-dyn-insert-text-ref.html new file mode 100644 index 000000000..a212e025e --- /dev/null +++ b/layout/reftests/css-display/display-contents-dyn-insert-text-ref.html @@ -0,0 +1,7 @@ + + + +CSS Test reference - Bug 1338678 +
+
PASS
+
diff --git a/layout/reftests/css-display/display-contents-dyn-insert-text.html b/layout/reftests/css-display/display-contents-dyn-insert-text.html new file mode 100644 index 000000000..f3b0c0c95 --- /dev/null +++ b/layout/reftests/css-display/display-contents-dyn-insert-text.html @@ -0,0 +1,16 @@ + + + + +Bug 1338678 - display:contents makes textContent disappear +
+
+
+ diff --git a/layout/reftests/css-display/reftest.list b/layout/reftests/css-display/reftest.list index d310422bb..00f46a80b 100644 --- a/layout/reftests/css-display/reftest.list +++ b/layout/reftests/css-display/reftest.list @@ -24,5 +24,6 @@ skip pref(layout.css.display-contents.enabled,true) == display-contents-xbl-4.xu asserts(0-1) fuzzy-if(Android,8,3216) pref(layout.css.display-contents.enabled,true) == display-contents-fieldset.html display-contents-fieldset-ref.html # bug 1089223 asserts(1) pref(layout.css.display-contents.enabled,true) == display-contents-xbl-5.xul display-contents-xbl-3-ref.xul # bug 1089223 pref(layout.css.display-contents.enabled,true) == display-contents-list-item-child.html display-contents-list-item-child-ref.html +pref(layout.css.display-contents.enabled,true) == display-contents-dyn-insert-text.html display-contents-dyn-insert-text-ref.html pref(layout.css.display-contents.enabled,true) == display-contents-writing-mode-1.html display-contents-writing-mode-1-ref.html pref(layout.css.display-contents.enabled,true) == display-contents-writing-mode-2.html display-contents-writing-mode-2-ref.html -- cgit v1.2.3