Bug 234375

Summary: null ptr deref in WebCore::findPlaceForCounter
Product: WebKit Reporter: Gabriel Nava Marino <gnavamarino>
Component: Layout and RenderingAssignee: Gabriel Nava Marino <gnavamarino>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, changseok, esprehn+autocc, ews-watchlist, glenn, kondapallykalyan, pdr, simon.fraser, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Description Gabriel Nava Marino 2021-12-15 18:02:27 PST 
Since parentOrPseudoHostElement can return a nullptr, we need to check for that before trying to access the renderer() of the Element object it returns.
Comment 1 Gabriel Nava Marino 2021-12-15 18:13:02 PST 
<rdar://problem/86518846>
Comment 2 Gabriel Nava Marino 2021-12-15 18:14:38 PST 
Created attachment 447305 [details]
Patch
Comment 3 zalan 2021-12-15 18:47:04 PST 
Comment on attachment 447305 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=447305&action=review

> Source/WebCore/ChangeLog:11
> +        Since parentOrPseudoHostElement can return a nullptr, we need to check for nullptr before trying to
> +        access the renderer() of the Element pointer it returns.

Could you explain why parentOrPseudoHostElement() returns nullptr in here?

> Source/WebCore/rendering/RenderCounter.cpp:315
> +                        auto parent = parentOrPseudoHostElement(*currentRenderer);

I'd write it like auto* parent = parentOrPseudoHostElement(*currentRenderer);
Comment 4 Gabriel Nava Marino 2021-12-16 10:45:23 PST 
Created attachment 447372 [details]
Patch
Comment 5 EWS 2021-12-17 10:03:59 PST 
Committed r287194 (245361@main): <https://commits.webkit.org/245361@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 447372 [details].