[webkit-changes] [288891] trunk

Tue, 01 Feb 2022 10:19:36 -0800

Title: [288891] trunk
Revision
288891
Author
[email protected]
Date
2022-02-01 10:18:54 -0800 (Tue, 01 Feb 2022)

Log Message

null ptr deref in LayoutIntegrationLineLayout LineLayout::adjustForPagination and LineLayout::visualOverflowBoundingBoxRectFor
https://bugs.webkit.org/show_bug.cgi?id=235907

Patch by Gabriel Nava Marino <[email protected]> on 2022-02-01
Reviewed by Antti Koivisto.

Source/WebCore:

m_inlineContent could become nullptr (such as after calling LineLayout::clearInlineContent())
so we add these nullptr checks to protect against an nullptr deref, in a similar way to
how it's done in the other methods.

Test: fast/layoutformattingcontext/visual-overflow-bounding-box-rect-crash.html

* layout/integration/LayoutIntegrationLineLayout.cpp:
(WebCore::LayoutIntegration::LineLayout::adjustForPagination):
(WebCore::LayoutIntegration::LineLayout::visualOverflowBoundingBoxRectFor const):

LayoutTests:

* fast/layoutformattingcontext/visual-overflow-bounding-box-rect-crash-expected.txt: Added.
* fast/layoutformattingcontext/visual-overflow-bounding-box-rect-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (288890 => 288891)


--- trunk/LayoutTests/ChangeLog	2022-02-01 17:52:56 UTC (rev 288890)
+++ trunk/LayoutTests/ChangeLog	2022-02-01 18:18:54 UTC (rev 288891)
@@ -1,3 +1,13 @@
+2022-02-01  Gabriel Nava Marino  <[email protected]>
+
+        null ptr deref in LayoutIntegrationLineLayout LineLayout::adjustForPagination and LineLayout::visualOverflowBoundingBoxRectFor
+        https://bugs.webkit.org/show_bug.cgi?id=235907
+
+        Reviewed by Antti Koivisto.
+
+        * fast/layoutformattingcontext/visual-overflow-bounding-box-rect-crash-expected.txt: Added.
+        * fast/layoutformattingcontext/visual-overflow-bounding-box-rect-crash.html: Added.
+
 2022-02-01  Antoine Quint  <[email protected]>
 
         Animation from scale(0) has missing backing store

Added: trunk/LayoutTests/fast/layoutformattingcontext/visual-overflow-bounding-box-rect-crash-expected.txt (0 => 288891)


--- trunk/LayoutTests/fast/layoutformattingcontext/visual-overflow-bounding-box-rect-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/layoutformattingcontext/visual-overflow-bounding-box-rect-crash-expected.txt	2022-02-01 18:18:54 UTC (rev 288891)
@@ -0,0 +1,2 @@
+PASS if this doesn't crash
+

Added: trunk/LayoutTests/fast/layoutformattingcontext/visual-overflow-bounding-box-rect-crash.html (0 => 288891)


--- trunk/LayoutTests/fast/layoutformattingcontext/visual-overflow-bounding-box-rect-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/layoutformattingcontext/visual-overflow-bounding-box-rect-crash.html	2022-02-01 18:18:54 UTC (rev 288891)
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<style>
+  :only-child {
+    -webkit-line-clamp: 1;
+  }
+</style>
+<script>
+  internals.settings.setLayerBasedSVGEngineEnabled(true);
+
+  _onload_ = () => {
+    let tr0 = document.createElement('tr');
+    document.body.append(tr0);
+    let div0 = document.createElement('div');
+    tr0.append(div0);
+    let span0 = document.createElement('span');
+    span0.style.appearance = 'button';
+    span0.style.shapeOutside = 'circle()';
+    div0.append(span0);
+    span0.append(document.createElement('span'));
+    document.body.offsetTop;
+    tr0.append(document.createElement('div'));
+    if (window.testRunner)
+      testRunner.dumpAsText();
+  };
+</script>
+PASS if this doesn't crash

Modified: trunk/Source/WebCore/ChangeLog (288890 => 288891)


--- trunk/Source/WebCore/ChangeLog	2022-02-01 17:52:56 UTC (rev 288890)
+++ trunk/Source/WebCore/ChangeLog	2022-02-01 18:18:54 UTC (rev 288891)
@@ -1,3 +1,20 @@
+2022-02-01  Gabriel Nava Marino  <[email protected]>
+
+        null ptr deref in LayoutIntegrationLineLayout LineLayout::adjustForPagination and LineLayout::visualOverflowBoundingBoxRectFor
+        https://bugs.webkit.org/show_bug.cgi?id=235907
+
+        Reviewed by Antti Koivisto.
+
+        m_inlineContent could become nullptr (such as after calling LineLayout::clearInlineContent())
+        so we add these nullptr checks to protect against an nullptr deref, in a similar way to
+        how it's done in the other methods.
+
+        Test: fast/layoutformattingcontext/visual-overflow-bounding-box-rect-crash.html
+
+        * layout/integration/LayoutIntegrationLineLayout.cpp:
+        (WebCore::LayoutIntegration::LineLayout::adjustForPagination):
+        (WebCore::LayoutIntegration::LineLayout::visualOverflowBoundingBoxRectFor const):
+
 2022-02-01  Philippe Normand  <[email protected]>
 
         [GStreamer] Update flags in internal GStreamer source and sink elements

Modified: trunk/Source/WebCore/layout/integration/LayoutIntegrationLineLayout.cpp (288890 => 288891)


--- trunk/Source/WebCore/layout/integration/LayoutIntegrationLineLayout.cpp	2022-02-01 17:52:56 UTC (rev 288890)
+++ trunk/Source/WebCore/layout/integration/LayoutIntegrationLineLayout.cpp	2022-02-01 18:18:54 UTC (rev 288891)
@@ -403,6 +403,9 @@
 
 void LineLayout::adjustForPagination()
 {
+    if (!m_inlineContent)
+        return;
+
     auto paginedInlineContent = adjustLinePositionsForPagination(*m_inlineContent, flow());
     if (paginedInlineContent.ptr() == m_inlineContent) {
         m_isPaginatedContent = false;
@@ -518,6 +521,9 @@
 
 LayoutRect LineLayout::visualOverflowBoundingBoxRectFor(const RenderInline& renderInline) const
 {
+    if (!m_inlineContent)
+        return { };
+
     auto& layoutBox = m_boxTree.layoutBoxForRenderer(renderInline);
 
     LayoutRect result;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to