[webkit-changes] [202177] trunk/Source/WebCore

[zalan]

Title: [202177] trunk/Source/WebCore

Revision

202177

Author

za...@apple.com

Date

2016-06-17 13:21:17 -0700 (Fri, 17 Jun 2016)

Log Message

Potential null dereferencing on a detached positioned renderer.
https://bugs.webkit.org/show_bug.cgi?id=158879

Reviewed by Simon Fraser.

This patch fixes the case when the while loop to search for the absolute positioned ancestor
returns null (it happens when positioned renderer has been detached from the render tree).

Speculative fix.

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::markFixedPositionObjectForLayoutIfNeeded):
* rendering/RenderBlock.h:

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/rendering/RenderBlock.cpp
• trunk/Source/WebCore/rendering/RenderBlock.h

Diff

Modified: trunk/Source/WebCore/ChangeLog (202176 => 202177)

--- trunk/Source/WebCore/ChangeLog	2016-06-17 20:18:54 UTC (rev 202176)
+++ trunk/Source/WebCore/ChangeLog	2016-06-17 20:21:17 UTC (rev 202177)
@@ -1,3 +1,19 @@
+2016-06-17  Zalan Bujtas  <za...@apple.com>
+
+        Potential null dereferencing on a detached positioned renderer.
+        https://bugs.webkit.org/show_bug.cgi?id=158879
+
+        Reviewed by Simon Fraser.
+
+        This patch fixes the case when the while loop to search for the absolute positioned ancestor
+        returns null (it happens when positioned renderer has been detached from the render tree).
+
+        Speculative fix.
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::markFixedPositionObjectForLayoutIfNeeded):
+        * rendering/RenderBlock.h:
+
 2016-06-17  Chris Dumez  <cdu...@apple.com>
 
         URL hash setter does not remove fragment identifier if argument is an empty string

Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (202176 => 202177)

--- trunk/Source/WebCore/rendering/RenderBlock.cpp	2016-06-17 20:18:54 UTC (rev 202176)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp	2016-06-17 20:21:17 UTC (rev 202177)
@@ -1392,34 +1392,33 @@
     return true;
 }
 
-void RenderBlock::markFixedPositionObjectForLayoutIfNeeded(RenderObject& child)
+void RenderBlock::markFixedPositionObjectForLayoutIfNeeded(RenderBox& positionedChild)
 {
-    if (child.style().position() != FixedPosition)
+    if (positionedChild.style().position() != FixedPosition)
         return;
 
-    bool hasStaticBlockPosition = child.style().hasStaticBlockPosition(isHorizontalWritingMode());
-    bool hasStaticInlinePosition = child.style().hasStaticInlinePosition(isHorizontalWritingMode());
+    bool hasStaticBlockPosition = positionedChild.style().hasStaticBlockPosition(isHorizontalWritingMode());
+    bool hasStaticInlinePosition = positionedChild.style().hasStaticInlinePosition(isHorizontalWritingMode());
     if (!hasStaticBlockPosition && !hasStaticInlinePosition)
         return;
 
-    auto o = child.parent();
-    while (o && !is<RenderView>(*o) && o->style().position() != AbsolutePosition)
-        o = o->parent();
-    if (o->style().position() != AbsolutePosition)
+    auto* parent = positionedChild.parent();
+    while (parent && !is<RenderView>(*parent) && parent->style().position() != AbsolutePosition)
+        parent = parent->parent();
+    if (!parent || parent->style().position() != AbsolutePosition)
         return;
 
-    auto& box = downcast<RenderBox>(child);
     if (hasStaticInlinePosition) {
         LogicalExtentComputedValues computedValues;
-        box.computeLogicalWidthInRegion(computedValues);
+        positionedChild.computeLogicalWidthInRegion(computedValues);
         LayoutUnit newLeft = computedValues.m_position;
-        if (newLeft != box.logicalLeft())
-            box.setChildNeedsLayout(MarkOnlyThis);
+        if (newLeft != positionedChild.logicalLeft())
+            positionedChild.setChildNeedsLayout(MarkOnlyThis);
     } else if (hasStaticBlockPosition) {
-        LayoutUnit oldTop = box.logicalTop();
-        box.updateLogicalHeight();
-        if (box.logicalTop() != oldTop)
-            box.setChildNeedsLayout(MarkOnlyThis);
+        LayoutUnit oldTop = positionedChild.logicalTop();
+        positionedChild.updateLogicalHeight();
+        if (positionedChild.logicalTop() != oldTop)
+            positionedChild.setChildNeedsLayout(MarkOnlyThis);
     }
 }
 

Modified: trunk/Source/WebCore/rendering/RenderBlock.h (202176 => 202177)

--- trunk/Source/WebCore/rendering/RenderBlock.h	2016-06-17 20:18:54 UTC (rev 202176)
+++ trunk/Source/WebCore/rendering/RenderBlock.h	2016-06-17 20:21:17 UTC (rev 202177)
@@ -314,7 +314,7 @@
     void layoutPositionedObjects(bool relayoutChildren, bool fixedPositionObjectsOnly = false);
     virtual void layoutPositionedObject(RenderBox&, bool relayoutChildren, bool fixedPositionObjectsOnly);
     
-    void markFixedPositionObjectForLayoutIfNeeded(RenderObject& child);
+    void markFixedPositionObjectForLayoutIfNeeded(RenderBox& child);
 
     LayoutUnit marginIntrinsicLogicalWidthForChild(RenderBox&) const;
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes