Bug 232512

Summary: Avoid corrupting the hashmap and subsequent nullptr deref by checking that the LayoutUnit is not a deleted value.
Product: WebKit Reporter: John Cunningham <johncunningham>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED CONFIGURATION CHANGED    
Severity: Normal CC: cmarcelo, ews-watchlist, fred.wang, jamesr, luiz, simon.fraser, tonikitoo, webkit-bug-importer, wenson_hsieh, youennf
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch ews-feeder: commit-queue-

Description John Cunningham 2021-10-29 15:19:33 PDT
Fix a null ptr deref by checking that newOffset is a valid key before adding to the HashMap.
Comment 1 John Cunningham 2021-10-29 15:20:05 PDT
Created attachment 442872 [details]
Patch
Comment 2 John Cunningham 2021-10-29 15:25:09 PDT
Created attachment 442873 [details]
Patch
Comment 3 Alexey Proskuryakov 2021-11-01 13:47:55 PDT
Comment on attachment 442873 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=442873&action=review

> Source/WebCore/ChangeLog:8
> +        No new tests (OOPS!).

Can a test be added for this?
Comment 4 John Cunningham 2021-11-02 14:23:30 PDT
Created attachment 443134 [details]
Patch
Comment 5 John Cunningham 2021-11-02 14:27:49 PDT
<rdar://84450793>
Comment 6 Wenson Hsieh 2021-11-02 14:47:29 PDT
Comment on attachment 443134 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=443134&action=review

It looks like the newly added test is failing on test runners.

> Source/WebCore/page/scrolling/ScrollSnapOffsetsInfo.cpp:291
> +        if (offsets.isValidKey(newOffset)) {

Nit - we generally prefer early returns over multiline if statements like this.
Comment 7 John Cunningham 2021-11-03 17:29:57 PDT
Created attachment 443260 [details]
Patch
Comment 8 Radar WebKit Bug Importer 2021-11-05 15:20:19 PDT
<rdar://problem/85087814>
Comment 9 youenn fablet 2022-11-10 07:52:01 PST
This patch is no longer necessary, closing bug.