Bug 232512

Summary: Avoid corrupting the hashmap and subsequent nullptr deref by checking that the LayoutUnit is not a deleted value.
Product: WebKit Reporter: John Cunningham <johncunningham>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED CONFIGURATION CHANGED    
Severity: Normal CC: cmarcelo, ews-watchlist, fred.wang, jamesr, luiz, simon.fraser, tonikitoo, webkit-bug-importer, wenson_hsieh, youennf
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch ews-feeder: commit-queue-

John Cunningham
Reported 2021-10-29 15:19:33 PDT
Fix a null ptr deref by checking that newOffset is a valid key before adding to the HashMap.
Attachments
Patch (2.73 KB, patch)
2021-10-29 15:20 PDT, John Cunningham 		no flags
DetailsFormatted DiffDiff
Patch (2.73 KB, patch)
2021-10-29 15:25 PDT, John Cunningham 		no flags
DetailsFormatted DiffDiff
Patch (4.11 KB, patch)
2021-11-02 14:23 PDT, John Cunningham 		no flags
DetailsFormatted DiffDiff
Patch (3.64 KB, patch)
2021-11-03 17:29 PDT, John Cunningham 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
John Cunningham
Comment 1 2021-10-29 15:20:05 PDT
Created attachment 442872 [details] Patch
John Cunningham
Comment 2 2021-10-29 15:25:09 PDT
Created attachment 442873 [details] Patch
Alexey Proskuryakov
Comment 3 2021-11-01 13:47:55 PDT
Comment on attachment 442873 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=442873&action=review > Source/WebCore/ChangeLog:8 > + No new tests (OOPS!). Can a test be added for this?
John Cunningham
Comment 4 2021-11-02 14:23:30 PDT
Created attachment 443134 [details] Patch
John Cunningham
Comment 5 2021-11-02 14:27:49 PDT
<rdar://84450793>
Wenson Hsieh
Comment 6 2021-11-02 14:47:29 PDT
Comment on attachment 443134 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=443134&action=review It looks like the newly added test is failing on test runners. > Source/WebCore/page/scrolling/ScrollSnapOffsetsInfo.cpp:291 > + if (offsets.isValidKey(newOffset)) { Nit - we generally prefer early returns over multiline if statements like this.
John Cunningham
Comment 7 2021-11-03 17:29:57 PDT
Created attachment 443260 [details] Patch
Radar WebKit Bug Importer
Comment 8 2021-11-05 15:20:19 PDT
<rdar://problem/85087814>
youenn fablet
Comment 9 2022-11-10 07:52:01 PST
This patch is no longer necessary, closing bug.
Note You need to log in before you can comment on or make changes to this bug.