Bug 281243

Summary: Don't repaint SVG elements not in tree and check for nullptr before derefencing enclosing layer
Product: WebKit Reporter: Pedro Varangot <pvarangot>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: rniwa, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   

Pedro Varangot
Reported 2024-10-10 13:17:08 PDT
Found via fuzzing. When using some HTML elements inside a filter element on svg, and modifying the hierarchy with a script, a RenderElement with a null enclosingLayer can dereference a null pointer.
Attachments
Add attachment proposed patch, testcase, etc.
Pedro Varangot
Comment 1 2024-10-10 13:22:37 PDT
<rdar://problem/137178583>
Pedro Varangot
Comment 2 2024-10-10 13:48:37 PDT
Pull request: https://github.com/WebKit/WebKit/pull/34995
Note You need to log in before you can comment on or make changes to this bug.