Bug 218504

Summary: Crash in RenderBox::overrideContainingBlockContentHeight()
Product: WebKit Reporter: Ian Gilbert <iang>
Component: Layout and RenderingAssignee: Sergio Villar Senin <svillar>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cgarcia, ews-feeder, koivisto, product-security, rniwa, rwlbuis, simon.fraser, svillar, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Crashing input
none
Patch
zalan: review+
Test case none

Description Ian Gilbert 2020-11-03 04:05:50 PST 
Crash found by fuzzing. Reproduces on WebKit revision 268052.

Stack Trace
=========

frame #0: /WebCore.framework/Versions/A/WebCore`WTF::KeyValuePair<WebCore::RenderBox const*, WTF::Optional<WebCore::LayoutUnit> >* WTF::HashTable<WebCore::RenderBox const*, WTF::KeyValuePair<WebCore::RenderBox const*, WTF::Optional<WebCore::LayoutUnit> >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WebCore::RenderBox const*, WTF::Optional<WebCore::LayoutUnit> > >, WTF::DefaultHash<WebCore::RenderBox const*>, WTF::HashMap<WebCore::RenderBox const*, WTF::Optional<WebCore::LayoutUnit>, WTF::DefaultHash<WebCore::RenderBox const*>, WTF::HashTraits<WebCore::RenderBox const*>, WTF::HashTraits<WTF::Optional<WebCore::LayoutUnit> > >::KeyValuePairTraits, WTF::HashTraits<WebCore::RenderBox const*> >::lookup<WTF::HashMapTranslatorAdapter<WTF::HashMap<WebCore::RenderBox const*, WTF::Optional<WebCore::LayoutUnit>, WTF::DefaultHash<WebCore::RenderBox const*>, WTF::HashTraits<WebCore::RenderBox const*>, WTF::HashTraits<WTF::Optional<WebCore::LayoutUnit> > >::KeyValuePairTraits, WTF::IdentityHashTranslator<WTF::HashMap<WebCore::RenderBox const*, WTF::Optional<WebCore::LayoutUnit>, WTF::DefaultHash<WebCore::RenderBox const*>, WTF::HashTraits<WebCore::RenderBox const*>, WTF::HashTraits<WTF::Optional<WebCore::LayoutUnit> > >::KeyValuePairTraits, WTF::DefaultHash<WebCore::RenderBox const*> > >, WebCore::RenderBox const*>(WebCore::RenderBox const* const&)+
frame #1: /WebCore.framework/Versions/A/WebCore`WTF::Optional<WebCore::LayoutUnit> WTF::HashMap<WebCore::RenderBox const*, WTF::Optional<WebCore::LayoutUnit>, WTF::DefaultHash<WebCore::RenderBox const*>, WTF::HashTraits<WebCore::RenderBox const*>, WTF::HashTraits<WTF::Optional<WebCore::LayoutUnit> > >::get<WTF::IdentityHashTranslator<WTF::HashMap<WebCore::RenderBox const*, WTF::Optional<WebCore::LayoutUnit>, WTF::DefaultHash<WebCore::RenderBox const*>, WTF::HashTraits<WebCore::RenderBox const*>, WTF::HashTraits<WTF::Optional<WebCore::LayoutUnit> > >::KeyValuePairTraits, WTF::DefaultHash<WebCore::RenderBox const*> >, WebCore::RenderBox const*>(WebCore::RenderBox const* const&) const+
frame #2: /WebCore.framework/Versions/A/WebCore`WTF::HashMap<WebCore::RenderBox const*, WTF::Optional<WebCore::LayoutUnit>, WTF::DefaultHash<WebCore::RenderBox const*>, WTF::HashTraits<WebCore::RenderBox const*>, WTF::HashTraits<WTF::Optional<WebCore::LayoutUnit> > >::get(WebCore::RenderBox const* const&) const+
frame #3: /WebCore.framework/Versions/A/WebCore`WebCore::RenderBox::overrideContainingBlockContentHeight() const+
frame #4: /WebCore.framework/Versions/A/WebCore`WebCore::RenderBoxModelObject::relativePositionOffset() const+
frame #5: /WebCore.framework/Versions/A/WebCore`WebCore::RenderBoxModelObject::offsetForInFlowPosition() const+
frame #6: /WebCore.framework/Versions/A/WebCore`WebCore::RenderBox::offsetFromContainer(WebCore::RenderElement&, WebCore::LayoutPoint const&, bool*) const+
frame #7: /WebCore.framework/Versions/A/WebCore`WebCore::RenderBox::mapLocalToContainer(WebCore::RenderLayerModelObject const*, WebCore::TransformState&, unsigned int, bool*) const+
frame #8: /WebCore.framework/Versions/A/WebCore`WebCore::RenderBox::mapLocalToContainer(WebCore::RenderLayerModelObject const*, WebCore::TransformState&, unsigned int, bool*) const+
frame #9: /WebCore.framework/Versions/A/WebCore`WebCore::RenderObject::localToContainerQuad(WebCore::FloatQuad const&, WebCore::RenderLayerModelObject const*, unsigned int, bool*) const+
frame #10: /WebCore.framework/Versions/A/WebCore`WebCore::RenderBox::outlineBoundsForRepaint(WebCore::RenderLayerModelObject const*, WebCore::RenderGeometryMap const*) const+
Comment 1 Ian Gilbert 2020-11-03 04:06:39 PST 
Created attachment 413041 [details]
Crashing input
Comment 2 Radar WebKit Bug Importer 2020-11-03 04:06:55 PST 
<rdar://problem/70989103>
Comment 3 Ryosuke Niwa 2020-11-03 13:11:42 PST 
<rdar://problem/70049851>
Comment 4 Sergio Villar Senin 2020-11-09 02:12:22 PST 
Created attachment 413570 [details]
Patch
Comment 5 Sergio Villar Senin 2020-11-09 03:04:13 PST 
Created attachment 413572 [details]
Test case

This is the test case I came up with in case we want to land it together.
Comment 6 Ryosuke Niwa 2020-11-09 15:56:05 PST 
Is there any security implication here? Or is it just a nullptr crash?
Comment 7 Ryosuke Niwa 2020-11-09 15:56:30 PST 
If there is no security implication, we should land the test as a part of the patch.
Comment 8 Sergio Villar Senin 2020-11-10 00:29:36 PST 
(In reply to Ryosuke Niwa from comment #6)
> Is there any security implication here? Or is it just a nullptr crash?

It's a nullptr dereference.
Comment 9 Ryosuke Niwa 2020-11-11 19:04:10 PST 
(In reply to Sergio Villar Senin from comment #8)
> (In reply to Ryosuke Niwa from comment #6)
> > Is there any security implication here? Or is it just a nullptr crash?
> 
> It's a nullptr dereference.

In that case, can we include the test in the patch?
Comment 10 Sergio Villar Senin 2020-11-12 03:25:49 PST 
Committed r269728: <https://trac.webkit.org/changeset/269728>