Bug 234375

Summary: null ptr deref in WebCore::findPlaceForCounter
Product: WebKit Reporter: Gabriel Nava Marino <gnavamarino>
Component: Layout and RenderingAssignee: Gabriel Nava Marino <gnavamarino>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, changseok, esprehn+autocc, ews-watchlist, glenn, kondapallykalyan, pdr, simon.fraser, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Gabriel Nava Marino
Reported 2021-12-15 18:02:27 PST
Since parentOrPseudoHostElement can return a nullptr, we need to check for that before trying to access the renderer() of the Element object it returns.
Attachments
Patch (3.82 KB, patch)
2021-12-15 18:14 PST, Gabriel Nava Marino 		no flags
DetailsFormatted DiffDiff
Patch (3.90 KB, patch)
2021-12-16 10:45 PST, Gabriel Nava Marino 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Gabriel Nava Marino
Comment 1 2021-12-15 18:13:02 PST
<rdar://problem/86518846>
Gabriel Nava Marino
Comment 2 2021-12-15 18:14:38 PST
Created attachment 447305 [details] Patch
zalan
Comment 3 2021-12-15 18:47:04 PST
Comment on attachment 447305 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=447305&action=review > Source/WebCore/ChangeLog:11 > + Since parentOrPseudoHostElement can return a nullptr, we need to check for nullptr before trying to > + access the renderer() of the Element pointer it returns. Could you explain why parentOrPseudoHostElement() returns nullptr in here? > Source/WebCore/rendering/RenderCounter.cpp:315 > + auto parent = parentOrPseudoHostElement(*currentRenderer); I'd write it like auto* parent = parentOrPseudoHostElement(*currentRenderer);
Gabriel Nava Marino
Comment 4 2021-12-16 10:45:23 PST
Created attachment 447372 [details] Patch
EWS
Comment 5 2021-12-17 10:03:59 PST
Committed r287194 (245361@main): <https://commits.webkit.org/245361@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 447372 [details].
Note You need to log in before you can comment on or make changes to this bug.