Bug 253165

Summary: Make sure child is a RenderElement before trying to pass it into shouldChildInlineMarginContributeToContainerIntrinsicSize in RenderBlock::computeBlockPreferredLogicalWidths
Product: WebKit Reporter: Sammy Gill <sgill26>
Component: Layout and RenderingAssignee: Sammy Gill <sgill26>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, simon.fraser, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Sammy Gill
Reported 2023-03-01 09:54:34 PST
The assumption about this code currently is that child cannot be a RenderText within RenderBlock::computeBlockPreferredLogicalWidths. That assumption is wrong and can lead to a nullptr dereference. We should check the result of the cast before trying to pass it in
Attachments
Add attachment proposed patch, testcase, etc.
Sammy Gill
Comment 1 2023-03-01 09:55:05 PST
rdar://105848359
Radar WebKit Bug Importer
Comment 2 2023-03-01 09:55:57 PST
<rdar://problem/106092185>
Sammy Gill
Comment 3 2023-03-01 11:16:59 PST
Pull request: https://github.com/WebKit/WebKit/pull/10882
Sammy Gill
Comment 4 2023-03-01 11:35:41 PST
rdar://105848359
EWS
Comment 5 2023-03-02 06:30:57 PST
Committed 261063@main (02bb8ae9d573): <https://commits.webkit.org/261063@main> Reviewed commits have been landed. Closing PR #10882 and removing active labels.
EWS
Comment 6 2023-03-03 10:38:33 PST
Committed 259548.371@safari-7615-branch (6f9b18dfa549): <https://commits.webkit.org/259548.371@safari-7615-branch> Reviewed commits have been landed. Closing PR #432 and removing active labels.
Sammy Gill
Comment 7 2023-03-06 09:45:46 PST
*** Bug 252975 has been marked as a duplicate of this bug. ***
Sammy Gill
Comment 8 2023-12-20 15:01:56 PST
*** Bug 253182 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.