Bug 302197

Summary:	Potential null dereference of m_target in ResizeObservation::computeTargetLocation()
Product:	WebKit	Reporter:	Chris Dumez <cdumez>
Component:	WebCore Misc.	Assignee:	Chris Dumez <cdumez>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Chris Dumez

Reported 2025-11-07 22:48:19 PST

Potential null dereference of m_target in ResizeObservation::computeTargetLocation(): ``` Thread 0 Crashed:: Dispatch queue: com.apple.main-thread: 0 WebCore 0x1b33a46a4 WTFCrashWithInfo(int, char const*, char const*, int) + 24 1 WebCore 0x1b33a46a4 WTF::WeakPtr<WebCore::Element, WebCore::WeakPtrImplWithEventTargetData, WTF::RawPtrTraits<WebCore::WeakPtrImplWithEventTargetData>>::operator->() const + 24 2 WebCore 0x1b33a46a4 WebCore::ResizeObservation::computeTargetLocation() const + 24 3 WebCore 0x1b33a46a4 WebCore::ResizeObservation::computeContentRect() const + 24 4 WebCore 0x1b33a46a4 _ZZN7WebCore14ResizeObserver19deliverObservationsEvENK3$_0clIKN3WTF3RefINS_17ResizeObservationENS3_12RawPtrTraitsIS5_EENS3_21DefaultRefDerefTraitsIS5_EEEEEEDaRT_ + 24 5 WebCore 0x1b33a46a4 WTF::Vector<WTF::Ref<WebCore::ResizeObserverEntry, WTF::RawPtrTraits<WebCore::ResizeObserverEntry>, WTF::DefaultRefDerefTraits<WebCore::ResizeObserverEntry>>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> WTF::Vector<WTF::Ref<WebCore::ResizeObservation, WTF::RawPtrTraits<WebCore::ResizeObservation>, WTF::DefaultRefDerefTraits<WebCore::ResizeObservation>>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::map<WTF::Vector<WTF::Ref<WebCore::ResizeObserverEntry, WTF::RawPtrTraits<WebCore::ResizeObserverEntry>, WTF::DefaultRefDerefTraits<WebCore::ResizeObserverEntry>>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::ResizeObserver::deliverObservations()::$_0>(WebCore::ResizeObserver::deliverObservations()::$_0 const&) const + 24 6 WebCore 0x1b33a46a4 WTF::Vector<std::__1::invoke_result<WebCore::ResizeObserver::deliverObservations()::$_0, WTF::Ref<WebCore::ResizeObservation, WTF::RawPtrTraits<WebCore::ResizeObservation>, WTF::DefaultRefDerefTraits<WebCore::ResizeObservation>> const&>::type, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> WTF::Vector<WTF::Ref<WebCore::ResizeObservation, WTF::RawPtrTraits<WebCore::ResizeObservation>, WTF::DefaultRefDerefTraits<WebCore::ResizeObservation>>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::map<WebCore::ResizeObserver::deliverObservations()::$_0>(WebCore::ResizeObserver::deliverObservations()::$_0 const&) const + 24 ```

Attachments
Add attachment proposed patch, testcase, etc.

Chris Dumez

Comment 1 2025-11-07 22:48:28 PST

<rdar://164271295>

Chris Dumez

Comment 2 2025-11-07 22:51:17 PST

Pull request: https://github.com/WebKit/WebKit/pull/53625

EWS

Comment 3 2025-11-08 05:34:20 PST

Committed 302765@main (a1c0f13ff6a0): <https://commits.webkit.org/302765@main> Reviewed commits have been landed. Closing PR #53625 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.