packages/firefox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
firefox/CVE-2021-29988.patch
technology208 aebbc1f4f4 fix CVE-2021-29988
2024-07-18 16:31:40 +08:00

140 lines
5.9 KiB
Diff
Raw Blame History

From 52d20e23934d31541e8da0a0fcfc88622db6c695 Mon Sep 17 00:00:00 2001
From: Emilio Cobos Álvarez <emilio@crisal.io>
Date: Thu, 18 Jul 2024 16:23:41 +0800
Subject: [PATCH] Blockify outside markers at used value time rather than at computed value time. r=jfkthame, a=pascal
---
layout/base/nsCSSFrameConstructor.cpp | 28 ++++++++++++++++---
layout/base/nsCSSFrameConstructor.h | 5 +++-
.../components/style/values/specified/box.rs | 6 ++++
servo/ports/geckolib/glue.rs | 10 +++++++
4 files changed, 44 insertions(+), 5 deletions(-)
diff --git a/layout/base/nsCSSFrameConstructor.cpp b/layout/base/nsCSSFrameConstructor.cpp
index f9e5162c56..d18c1643cb 100644
--- a/layout/base/nsCSSFrameConstructor.cpp
+++ b/layout/base/nsCSSFrameConstructor.cpp
@@ -1613,7 +1613,8 @@ already_AddRefed<nsIContent> nsCSSFrameConstructor::CreateGeneratedContent(
void nsCSSFrameConstructor::CreateGeneratedContentItem(
nsFrameConstructorState& aState, nsContainerFrame* aParentFrame,
Element& aOriginatingElement, ComputedStyle& aStyle,
- PseudoStyleType aPseudoElement, FrameConstructionItemList& aItems) {
+ PseudoStyleType aPseudoElement, FrameConstructionItemList& aItems,
+ ItemFlags aExtraFlags) {
MOZ_ASSERT(aPseudoElement == PseudoStyleType::before ||
aPseudoElement == PseudoStyleType::after ||
aPseudoElement == PseudoStyleType::marker,
@@ -1720,9 +1721,11 @@ void nsCSSFrameConstructor::CreateGeneratedContentItem(
}
}
+ auto flags = ItemFlags{ItemFlag::IsGeneratedContent} + aExtraFlags;
+
AddFrameConstructionItemsInternal(aState, container, aParentFrame, true,
- pseudoStyle, {ItemFlag::IsGeneratedContent},
- aItems);
+ pseudoStyle, flags, aItems);
+
}
/****************************************************
@@ -5268,6 +5271,17 @@ nsCSSFrameConstructor::FindElementData(const Element& aElement,
return &sImgData;
}
+ const bool shouldBlockify = aFlags.contains(ItemFlag::IsForOutsideMarker);
+ if (shouldBlockify && !aStyle.StyleDisplay()->IsBlockOutsideStyle()) {
+ // Make a temp copy of StyleDisplay and blockify its mDisplay value.
+ auto display = *aStyle.StyleDisplay();
+ bool isRootElement = false;
+ uint16_t rawDisplayValue =
+ Servo_ComputedValues_BlockifiedDisplay(&aStyle, isRootElement);
+ display.mDisplay = StyleDisplay(rawDisplayValue);
+ return FindDisplayData(display, aElement);
+ }
+
const auto& display = *aStyle.StyleDisplay();
return FindDisplayData(display, aElement);
}
@@ -9522,9 +9536,15 @@ void nsCSSFrameConstructor::ProcessChildren(
!styleParentFrame->IsFieldSetFrame()) {
isOutsideMarker = computedStyle->StyleList()->mListStylePosition ==
NS_STYLE_LIST_STYLE_POSITION_OUTSIDE;
+ ItemFlags extraFlags;
+ if (isOutsideMarker) {
+ extraFlags += ItemFlag::IsForOutsideMarker;
+ }
+
CreateGeneratedContentItem(aState, aFrame, *aContent->AsElement(),
*computedStyle, PseudoStyleType::marker,
- itemsToConstruct);
+ itemsToConstruct, extraFlags);
+
}
// Probe for generated content before
CreateGeneratedContentItem(aState, aFrame, *aContent->AsElement(),
diff --git a/layout/base/nsCSSFrameConstructor.h b/layout/base/nsCSSFrameConstructor.h
index 053674bcaf..1347eaf628 100644
--- a/layout/base/nsCSSFrameConstructor.h
+++ b/layout/base/nsCSSFrameConstructor.h
@@ -369,6 +369,8 @@ class nsCSSFrameConstructor final : public nsFrameManager {
AllowTextPathChild,
// The item is content created by an nsIAnonymousContentCreator frame.
IsAnonymousContentCreatorContent,
+ // This will be an outside ::marker.
+ IsForOutsideMarker,
};
using ItemFlags = mozilla::EnumSet<ItemFlag>;
@@ -457,7 +459,8 @@ class nsCSSFrameConstructor final : public nsFrameManager {
nsContainerFrame* aParentFrame,
Element& aOriginatingElement, ComputedStyle&,
PseudoStyleType aPseudoElement,
- FrameConstructionItemList& aItems);
+ FrameConstructionItemList& aItems,
+ ItemFlags aExtraFlags = {});
// This method is called by ContentAppended() and ContentRangeInserted() when
// appending flowed frames to a parent's principal child list. It handles the
diff --git a/servo/components/style/values/specified/box.rs b/servo/components/style/values/specified/box.rs
index 6fc86b4867..a43b0e18ba 100644
--- a/servo/components/style/values/specified/box.rs
+++ b/servo/components/style/values/specified/box.rs
@@ -277,6 +277,12 @@ impl Display {
.unwrap()
}
+ /// Returns the raw underlying u16 value.
+ #[inline]
+ pub fn to_u16(&self) -> u16 {
+ self.0
+ }
+
/// Whether this is `display: inline` (or `inline list-item`).
#[inline]
pub fn is_inline_flow(&self) -> bool {
diff --git a/servo/ports/geckolib/glue.rs b/servo/ports/geckolib/glue.rs
index 9f89aa0cb8..eede9c0185 100644
--- a/servo/ports/geckolib/glue.rs
+++ b/servo/ports/geckolib/glue.rs
@@ -4017,6 +4017,16 @@ pub extern "C" fn Servo_ComputedValues_HasOverriddenAppearance(
})
}
+#[no_mangle]
+pub extern "C" fn Servo_ComputedValues_BlockifiedDisplay(
+ style: &ComputedValues,
+ is_root_element : bool,
+) -> u16 {
+ let display = style.get_box().clone_display();
+ let blockified_display = display.equivalent_block_display(is_root_element);
+ blockified_display.to_u16()
+}
+
#[no_mangle]
pub extern "C" fn Servo_StyleSet_Init(doc: &structs::Document) -> *mut RawServoStyleSet {
let data = Box::new(PerDocumentStyleData::new(doc));
--
2.27.0
Reference in New Issue View Git Blame Copy Permalink