description: fix cve-2010-2901
author: Michael Gilbert <michael.s.gilbert@gmail.com>
origin: http://trac.webkit.org/changeset/63048
Index: webkit-1.2.4/WebCore/rendering/RenderObject.cpp
===================================================================
--- webkit-1.2.4.orig/WebCore/rendering/RenderObject.cpp	2010-09-06 22:55:29.000000000 -0400
+++ webkit-1.2.4/WebCore/rendering/RenderObject.cpp	2010-09-06 22:56:03.000000000 -0400
@@ -560,6 +560,19 @@
     return 0;
 }
 
+RenderBoxModelObject* RenderObject::enclosingBoxModelObject() const
+{
+    RenderObject* curr = const_cast<RenderObject*>(this);
+    while (curr) {
+        if (curr->isBoxModelObject())
+            return toRenderBoxModelObject(curr);
+        curr = curr->parent();
+    }
+
+    ASSERT_NOT_REACHED();
+    return 0;
+}
+
 RenderBlock* RenderObject::firstLineBlock() const
 {
     return 0;
Index: webkit-1.2.4/WebCore/rendering/RenderObject.h
===================================================================
--- webkit-1.2.4.orig/WebCore/rendering/RenderObject.h	2010-09-06 22:55:29.000000000 -0400
+++ webkit-1.2.4/WebCore/rendering/RenderObject.h	2010-09-06 22:56:03.000000000 -0400
@@ -193,7 +193,8 @@
 
     // Convenience function for getting to the nearest enclosing box of a RenderObject.
     RenderBox* enclosingBox() const;
-    
+    RenderBoxModelObject* enclosingBoxModelObject() const;
+
     virtual bool isEmpty() const { return firstChild() == 0; }
 
 #ifndef NDEBUG
Index: webkit-1.2.4/WebCore/rendering/InlineFlowBox.cpp
===================================================================
--- webkit-1.2.4.orig/WebCore/rendering/InlineFlowBox.cpp	2010-09-06 22:55:28.000000000 -0400
+++ webkit-1.2.4/WebCore/rendering/InlineFlowBox.cpp	2010-09-06 22:56:24.000000000 -0400
@@ -639,11 +639,24 @@
             // outlines.
             if (renderer()->style()->visibility() == VISIBLE && renderer()->hasOutline() && !isRootInlineBox()) {
                 RenderInline* inlineFlow = toRenderInline(renderer());
-                if ((inlineFlow->continuation() || inlineFlow->isInlineContinuation()) && !boxModelObject()->hasSelfPaintingLayer()) {
+
+                RenderBlock* cb = 0;
+                bool containingBlockPaintsContinuationOutline = inlineFlow->continuation() || inlineFlow->isInlineContinuation();
+                if (containingBlockPaintsContinuationOutline) {
+                    cb = renderer()->containingBlock()->containingBlock();
+
+                    for (RenderBoxModelObject* box = boxModelObject(); box != cb; box = box->parent()->enclosingBoxModelObject()) {
+                        if (box->hasSelfPaintingLayer()) {
+                            containingBlockPaintsContinuationOutline = false;
+                            break;
+                        }
+                    }
+                }
+
+                if (containingBlockPaintsContinuationOutline) {
                     // Add ourselves to the containing block of the entire continuation so that it can
                     // paint us atomically.
-                    RenderBlock* block = renderer()->containingBlock()->containingBlock();
-                    block->addContinuationWithOutline(toRenderInline(renderer()->node()->renderer()));
+                    cb->addContinuationWithOutline(toRenderInline(renderer()->node()->renderer()));
                 } else if (!inlineFlow->isInlineContinuation())
                     paintInfo.outlineObjects->add(inlineFlow);
             }
Index: webkit-1.2.4/WebCore/rendering/RenderBlock.cpp
===================================================================
--- webkit-1.2.4.orig/WebCore/rendering/RenderBlock.cpp	2010-09-06 22:55:28.000000000 -0400
+++ webkit-1.2.4/WebCore/rendering/RenderBlock.cpp	2010-09-06 22:56:03.000000000 -0400
@@ -1766,8 +1766,18 @@
     if ((paintPhase == PaintPhaseOutline || paintPhase == PaintPhaseChildOutlines)) {
         if (inlineContinuation() && inlineContinuation()->hasOutline() && inlineContinuation()->style()->visibility() == VISIBLE) {
             RenderInline* inlineRenderer = toRenderInline(inlineContinuation()->node()->renderer());
-            if (!inlineRenderer->hasSelfPaintingLayer())
-                containingBlock()->addContinuationWithOutline(inlineRenderer);
+            RenderBlock* cb = containingBlock();
+
+            bool inlineEnclosedInSelfPaintingLayer = false;
+            for (RenderBoxModelObject* box = inlineRenderer; box != cb; box = box->parent()->enclosingBoxModelObject()) {
+                if (box->hasSelfPaintingLayer()) {
+                    inlineEnclosedInSelfPaintingLayer = true;
+                    break;
+                }
+            }
+
+            if (!inlineEnclosedInSelfPaintingLayer)
+                cb->addContinuationWithOutline(inlineRenderer);
             else if (!inlineRenderer->firstLineBox())
                 inlineRenderer->paintOutline(paintInfo.context, tx - x() + inlineRenderer->containingBlock()->x(),
                                              ty - y() + inlineRenderer->containingBlock()->y());