Fix <input type=image> with CSS content

The LayoutObject creation was previously being performed via a call to LayoutObjectFactory::CreateBlockFlow() and a conditional on the style to LayoutInline(). This CL replaces all of that with a call to LayoutObject::CreateObject(), which handles creating the correct LayoutObject type, plus it also (now) handles CSS content pointing to an image. Previous attempts to do this [1][2] fixed some of these issues, but left a UAF in ImageResourceContent::RemoveObserver() [3]. To fix this, an unnecessary call to SetImageResource() in ImageInputType::OnAttachWithLayoutObject() was removed. Test coverage: Fallback content display type: external/wpt/html/rendering/replaced-elements/attributes-for-embedded-content-and-images/input-image-inline-alt.html UAF: external/wpt/html/rendering/replaced-elements/attributes-for-embedded-content-and-images/input-image-content-crash.html CSS content (new test): external/wpt/html/rendering/replaced-elements/images/input-image-content.html [1] crrev.com/779108 [2] crrev.com/780992 [3] https://bugs.chromium.org/p/chromium/issues/detail?id=1226558#c7 Fixed: 1226558 Change-Id: I64c61ebed91670b5fac665f1c4be9337f0814a9a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3064330 Commit-Queue: Ian Kilpatrick <[email protected]> Auto-Submit: Mason Freed <[email protected]> Reviewed-by: Ian Kilpatrick <[email protected]> Cr-Commit-Position: refs/heads/master@{#908495}
web-platform-tests · Aug 4, 2021 · cdd20e3 · cdd20e3
1 parent 0fd14d2
commit cdd20e3
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 3 deletions.
diff --git a/...placed-elements/attributes-for-embedded-content-and-images/input-image-content-crash.html b/...placed-elements/attributes-for-embedded-content-and-images/input-image-content-crash.html
@@ -5,11 +5,9 @@
 <style>
   .content { content: url(data:text/plain,aaa); }
 </style>
-<input id="input" type="image">
+<input id="input" type="image" class=content>
 <script>
   onload = ()=> {
-    document.body.offsetTop;
-    input.setAttribute('class', 'content');
     document.body.offsetTop;
     input.setAttribute('class', '');
     document.body.offsetTop;

diff --git a/html/rendering/replaced-elements/images/input-image-content-ref.html b/html/rendering/replaced-elements/images/input-image-content-ref.html
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>Input type=image with CSS content.</title>
+<link rel="author" href="mailto:[email protected]">
+
+You should see a red dot.<br>
+<input type="image" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==">
diff --git a/html/rendering/replaced-elements/images/input-image-content.html b/html/rendering/replaced-elements/images/input-image-content.html
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>Input type=image with CSS content.</title>
+<link rel="author" href="mailto:[email protected]">
+<link rel="match"  href="input-image-content-ref.html">
+
+You should see a red dot.<br>
+<style>
+  input {
+    content: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==);
+  }
+</style>
+
+<input type="image">