Title: [255113] trunk/Source/WebCore
- Revision
- 255113
- Author
- [email protected]
- Date
- 2020-01-24 17:37:20 -0800 (Fri, 24 Jan 2020)
Log Message
Null Ptr Deref READ @ WebCore::RenderMultiColumnFlow::lastMultiColumnSet const
https://bugs.webkit.org/show_bug.cgi?id=206106
Patch by Jack Lee <[email protected]> on 2020-01-24
Reviewed by Ryosuke Niwa.
Could not write a reproducible fast test case for this.
* rendering/RenderMultiColumnFlow.cpp:
(WebCore::RenderMultiColumnFlow::lastMultiColumnSet const):
* rendering/updating/RenderTreeBuilderMultiColumn.cpp:
(WebCore::RenderTreeBuilder::MultiColumn::processPossibleSpannerDescendant):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (255112 => 255113)
--- trunk/Source/WebCore/ChangeLog 2020-01-25 01:35:58 UTC (rev 255112)
+++ trunk/Source/WebCore/ChangeLog 2020-01-25 01:37:20 UTC (rev 255113)
@@ -1,3 +1,17 @@
+2020-01-24 Jack Lee <[email protected]>
+
+ Null Ptr Deref READ @ WebCore::RenderMultiColumnFlow::lastMultiColumnSet const
+ https://bugs.webkit.org/show_bug.cgi?id=206106
+
+ Reviewed by Ryosuke Niwa.
+
+ Could not write a reproducible fast test case for this.
+
+ * rendering/RenderMultiColumnFlow.cpp:
+ (WebCore::RenderMultiColumnFlow::lastMultiColumnSet const):
+ * rendering/updating/RenderTreeBuilderMultiColumn.cpp:
+ (WebCore::RenderTreeBuilder::MultiColumn::processPossibleSpannerDescendant):
+
2020-01-24 Wenson Hsieh <[email protected]>
[iOS] Long pressing text inside a selection should update the selection
Modified: trunk/Source/WebCore/rendering/RenderMultiColumnFlow.cpp (255112 => 255113)
--- trunk/Source/WebCore/rendering/RenderMultiColumnFlow.cpp 2020-01-25 01:35:58 UTC (rev 255112)
+++ trunk/Source/WebCore/rendering/RenderMultiColumnFlow.cpp 2020-01-25 01:37:20 UTC (rev 255113)
@@ -74,6 +74,8 @@
RenderMultiColumnSet* RenderMultiColumnFlow::lastMultiColumnSet() const
{
+ ASSERT(multiColumnBlockFlow());
+
for (RenderObject* sibling = multiColumnBlockFlow()->lastChild(); sibling; sibling = sibling->previousSibling()) {
if (is<RenderMultiColumnSet>(*sibling))
return downcast<RenderMultiColumnSet>(sibling);
Modified: trunk/Source/WebCore/rendering/updating/RenderTreeBuilderMultiColumn.cpp (255112 => 255113)
--- trunk/Source/WebCore/rendering/updating/RenderTreeBuilderMultiColumn.cpp 2020-01-25 01:35:58 UTC (rev 255112)
+++ trunk/Source/WebCore/rendering/updating/RenderTreeBuilderMultiColumn.cpp 2020-01-25 01:37:20 UTC (rev 255113)
@@ -282,6 +282,9 @@
RenderObject* insertBeforeMulticolChild = nullptr;
RenderObject* nextDescendant = &descendant;
+ if (!multicolContainer)
+ return nullptr;
+
if (isValidColumnSpanner(flow, descendant)) {
// This is a spanner (column-span:all). Such renderers are moved from where they would
// otherwise occur in the render tree to becoming a direct child of the multicol container,
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
