Title: [287771] trunk/Source/WebCore
- Revision
- 287771
- Author
- [email protected]
- Date
- 2022-01-07 11:34:59 -0800 (Fri, 07 Jan 2022)
Log Message
nullptr deref in ComputeFloatOffsetForLineLayoutAdapter<FloatingObject::FloatLeft>::updateOffsetIfNeeded
https://bugs.webkit.org/show_bug.cgi?id=234018
Patch by Gabriel Nava Marino <[email protected]> on 2022-01-07
Reviewed by Darin Adler.
In RenderBlockFlow::subtreeContainsFloat and RenderBlockFlow::subtreeContainsFloats we now will
use a non-recursive iterator and return true when we find something, or then return false at the
end of the function.
* rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::subtreeContainsFloat const):
(WebCore::RenderBlockFlow::subtreeContainsFloats const):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (287770 => 287771)
--- trunk/Source/WebCore/ChangeLog 2022-01-07 19:24:05 UTC (rev 287770)
+++ trunk/Source/WebCore/ChangeLog 2022-01-07 19:34:59 UTC (rev 287771)
@@ -1,3 +1,18 @@
+2022-01-07 Gabriel Nava Marino <[email protected]>
+
+ nullptr deref in ComputeFloatOffsetForLineLayoutAdapter<FloatingObject::FloatLeft>::updateOffsetIfNeeded
+ https://bugs.webkit.org/show_bug.cgi?id=234018
+
+ Reviewed by Darin Adler.
+
+ In RenderBlockFlow::subtreeContainsFloat and RenderBlockFlow::subtreeContainsFloats we now will
+ use a non-recursive iterator and return true when we find something, or then return false at the
+ end of the function.
+
+ * rendering/RenderBlockFlow.cpp:
+ (WebCore::RenderBlockFlow::subtreeContainsFloat const):
+ (WebCore::RenderBlockFlow::subtreeContainsFloats const):
+
2022-01-07 Alex Christensen <[email protected]>
Unreviewed, reverting r287698.
Modified: trunk/Source/WebCore/rendering/RenderBlockFlow.cpp (287770 => 287771)
--- trunk/Source/WebCore/rendering/RenderBlockFlow.cpp 2022-01-07 19:24:05 UTC (rev 287770)
+++ trunk/Source/WebCore/rendering/RenderBlockFlow.cpp 2022-01-07 19:34:59 UTC (rev 287771)
@@ -1951,26 +1951,34 @@
bool RenderBlockFlow::subtreeContainsFloat(RenderBox& renderer) const
{
- bool contains = m_floatingObjects && m_floatingObjects->set().contains<FloatingObjectHashTranslator>(renderer);
- for (auto& block : childrenOfType<RenderBlock>(*this)) {
+ if (containsFloat(renderer))
+ return true;
+
+ for (auto& block : descendantsOfType<RenderBlock>(const_cast<RenderBlockFlow&>(*this))) {
if (!is<RenderBlockFlow>(block))
continue;
auto& blockFlow = downcast<RenderBlockFlow>(block);
- contains |= blockFlow.subtreeContainsFloat(renderer);
+ if (blockFlow.containsFloat(renderer))
+ return true;
}
- return contains;
+
+ return false;
}
bool RenderBlockFlow::subtreeContainsFloats() const
{
- bool contains = m_floatingObjects && !m_floatingObjects->set().isEmpty();
- for (auto& block : childrenOfType<RenderBlock>(*this)) {
+ if (containsFloats())
+ return true;
+
+ for (auto& block : descendantsOfType<RenderBlock>(const_cast<RenderBlockFlow&>(*this))) {
if (!is<RenderBlockFlow>(block))
continue;
auto& blockFlow = downcast<RenderBlockFlow>(block);
- contains |= blockFlow.subtreeContainsFloats();
+ if (blockFlow.containsFloats())
+ return true;
}
- return contains;
+
+ return false;
}
void RenderBlockFlow::styleDidChange(StyleDifference diff, const RenderStyle* oldStyle)
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
