Skip to site navigation (Press enter)

[webkit-changes] [287194] trunk

commit-queue Fri, 17 Dec 2021 10:03:25 -0800

Title: [287194] trunk

Revision: 287194
Author: [email protected]
Date: 2021-12-17 10:02:33 -0800 (Fri, 17 Dec 2021)

Log Message

null ptr deref in WebCore::findPlaceForCounter
https://bugs.webkit.org/show_bug.cgi?id=234375


Patch by Gabriel Nava Marino <[email protected]> on 2021-12-17
Reviewed by Alan Bujtas.

Source/WebCore:

Test: fast/css/counters/findPlaceForCounter-parent-renderer-crash.html

When the current renderer's element is an HTML document and root of the tree, parentOrPseudoHostElement can return a nullptr,
so we need to check for nullptr before trying to access the renderer() of the Element pointer it returns.

* rendering/RenderCounter.cpp:
(WebCore::findPlaceForCounter):

LayoutTests:

* fast/css/counters/findPlaceForCounter-parent-renderer-crash-expected.txt: Added.
* fast/css/counters/findPlaceForCounter-parent-renderer-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/rendering/RenderCounter.cpp

Added Paths

trunk/LayoutTests/fast/css/counters/findPlaceForCounter-parent-renderer-crash-expected.txt
trunk/LayoutTests/fast/css/counters/findPlaceForCounter-parent-renderer-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (287193 => 287194)


--- trunk/LayoutTests/ChangeLog	2021-12-17 17:42:40 UTC (rev 287193)
+++ trunk/LayoutTests/ChangeLog	2021-12-17 18:02:33 UTC (rev 287194)
@@ -1,3 +1,13 @@
+2021-12-17  Gabriel Nava Marino  <[email protected]>
+
+        null ptr deref in WebCore::findPlaceForCounter
+        https://bugs.webkit.org/show_bug.cgi?id=234375
+
+        Reviewed by Alan Bujtas.
+
+        * fast/css/counters/findPlaceForCounter-parent-renderer-crash-expected.txt: Added.
+        * fast/css/counters/findPlaceForCounter-parent-renderer-crash.html: Added.
+
 2021-12-17  Philippe Normand  <[email protected]>
 
         [GStreamer][WebRTC] Huge memory leak

Added: trunk/LayoutTests/fast/css/counters/findPlaceForCounter-parent-renderer-crash-expected.txt (0 => 287194)


--- trunk/LayoutTests/fast/css/counters/findPlaceForCounter-parent-renderer-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/css/counters/findPlaceForCounter-parent-renderer-crash-expected.txt	2021-12-17 18:02:33 UTC (rev 287194)
@@ -0,0 +1 @@
+PASS if this doesn't crash

Added: trunk/LayoutTests/fast/css/counters/findPlaceForCounter-parent-renderer-crash.html (0 => 287194)


--- trunk/LayoutTests/fast/css/counters/findPlaceForCounter-parent-renderer-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/css/counters/findPlaceForCounter-parent-renderer-crash.html	2021-12-17 18:02:33 UTC (rev 287194)
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<style>
+  html {
+    counter-increment: x;
+  }
+  body {
+    counter-increment: x;
+    contain: strict;
+  }
+</style>
+<script>
+  _onload_ = () => {
+    d.style = 'counter-increment: x';
+    if (window.testRunner)
+      testRunner.dumpAsText();
+  };
+</script>
+<div id="d">PASS if this doesn't crash</div>

Modified: trunk/Source/WebCore/ChangeLog (287193 => 287194)


--- trunk/Source/WebCore/ChangeLog	2021-12-17 17:42:40 UTC (rev 287193)
+++ trunk/Source/WebCore/ChangeLog	2021-12-17 18:02:33 UTC (rev 287194)
@@ -1,3 +1,19 @@
+2021-12-17  Gabriel Nava Marino  <[email protected]>
+
+        null ptr deref in WebCore::findPlaceForCounter
+        https://bugs.webkit.org/show_bug.cgi?id=234375
+
+        Reviewed by Alan Bujtas.
+
+        Test: fast/css/counters/findPlaceForCounter-parent-renderer-crash.html
+
+        When the current renderer's element is an HTML document and root of the tree, parentOrPseudoHostElement can return a nullptr,
+        so we need to check for nullptr before trying to access the renderer() of the Element pointer it returns.
+
+
+        * rendering/RenderCounter.cpp:
+        (WebCore::findPlaceForCounter):
+
 2021-12-17  Alan Bujtas  <[email protected]>
 
         [LFC][IFC] Line spanning inline items should use InlineItem::opaqueBidiLevel

Modified: trunk/Source/WebCore/rendering/RenderCounter.cpp (287193 => 287194)


--- trunk/Source/WebCore/rendering/RenderCounter.cpp	2021-12-17 17:42:40 UTC (rev 287193)
+++ trunk/Source/WebCore/rendering/RenderCounter.cpp	2021-12-17 18:02:33 UTC (rev 287194)
@@ -312,7 +312,8 @@
                         previousSibling = currentCounter;
                         // We are no longer interested in previous siblings of the currentRenderer or their children
                         // as counters they may have attached cannot be the previous sibling of the counter we are placing.
-                        currentRenderer = parentOrPseudoHostElement(*currentRenderer)->renderer();
+                        auto* parent = parentOrPseudoHostElement(*currentRenderer);
+                        currentRenderer = parent ? parent->renderer() : nullptr;
                         continue;
                     }
                 } else

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes