From cdd20e3a6c7ea615f820cc28aa7c7029042c5f7a Mon Sep 17 00:00:00 2001
From: Mason Freed <masonf@chromium.org>
Date: Wed, 4 Aug 2021 10:09:57 -0700
Subject: [PATCH] Fix <input type=image> with CSS content

The LayoutObject creation was previously being performed via a call
to LayoutObjectFactory::CreateBlockFlow() and a conditional on the
style to LayoutInline(). This CL replaces all of that with a call to
LayoutObject::CreateObject(), which handles creating the correct
LayoutObject type, plus it also (now) handles CSS content pointing
to an image. Previous attempts to do this [1][2] fixed some of these
issues, but left a UAF in ImageResourceContent::RemoveObserver() [3].
To fix this, an unnecessary call to SetImageResource() in
ImageInputType::OnAttachWithLayoutObject() was removed.

Test coverage:
 Fallback content display type: external/wpt/html/rendering/replaced-elements/attributes-for-embedded-content-and-images/input-image-inline-alt.html
 UAF: external/wpt/html/rendering/replaced-elements/attributes-for-embedded-content-and-images/input-image-content-crash.html
 CSS content (new test): external/wpt/html/rendering/replaced-elements/images/input-image-content.html

[1] crrev.com/779108
[2] crrev.com/780992
[3] https://bugs.chromium.org/p/chromium/issues/detail?id=1226558#c7

Fixed: 1226558
Change-Id: I64c61ebed91670b5fac665f1c4be9337f0814a9a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3064330
Commit-Queue: Ian Kilpatrick <ikilpatrick@chromium.org>
Auto-Submit: Mason Freed <masonf@chromium.org>
Reviewed-by: Ian Kilpatrick <ikilpatrick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#908495}
---
 .../input-image-content-crash.html                 |  4 +---
 .../images/input-image-content-ref.html            |  7 +++++++
 .../images/input-image-content.html                | 14 ++++++++++++++
 3 files changed, 22 insertions(+), 3 deletions(-)
 create mode 100644 html/rendering/replaced-elements/images/input-image-content-ref.html
 create mode 100644 html/rendering/replaced-elements/images/input-image-content.html

diff --git a/html/rendering/replaced-elements/attributes-for-embedded-content-and-images/input-image-content-crash.html b/html/rendering/replaced-elements/attributes-for-embedded-content-and-images/input-image-content-crash.html
index afeba98912d970..84ef2ab1539e15 100644
--- a/html/rendering/replaced-elements/attributes-for-embedded-content-and-images/input-image-content-crash.html
+++ b/html/rendering/replaced-elements/attributes-for-embedded-content-and-images/input-image-content-crash.html
@@ -5,11 +5,9 @@
 <style>
   .content { content: url(data:text/plain,aaa); }
 </style>
-<input id="input" type="image">
+<input id="input" type="image" class=content>
 <script>
   onload = ()=> {
-    document.body.offsetTop;
-    input.setAttribute('class', 'content');
     document.body.offsetTop;
     input.setAttribute('class', '');
     document.body.offsetTop;
diff --git a/html/rendering/replaced-elements/images/input-image-content-ref.html b/html/rendering/replaced-elements/images/input-image-content-ref.html
new file mode 100644
index 00000000000000..37af13329e83d8
--- /dev/null
+++ b/html/rendering/replaced-elements/images/input-image-content-ref.html
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>Input type=image with CSS content.</title>
+<link rel="author" href="mailto:masonf@chromium.org">
+
+You should see a red dot.<br>
+<input type="image" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==">
diff --git a/html/rendering/replaced-elements/images/input-image-content.html b/html/rendering/replaced-elements/images/input-image-content.html
new file mode 100644
index 00000000000000..5376e8033ffe30
--- /dev/null
+++ b/html/rendering/replaced-elements/images/input-image-content.html
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>Input type=image with CSS content.</title>
+<link rel="author" href="mailto:masonf@chromium.org">
+<link rel="match"  href="input-image-content-ref.html">
+
+You should see a red dot.<br>
+<style>
+  input {
+    content: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==);
+  }
+</style>
+
+<input type="image">