RESOLVED FIXED 218499
Null Ptr Deref @ WebCore::RenderDeprecatedFlexibleBox::applyLineClamp+0 
https://bugs.webkit.org/show_bug.cgi?id=218499
Summary Null Ptr Deref @ WebCore::RenderDeprecatedFlexibleBox::applyLineClamp+0
Ian Gilbert
Reported 2020-11-03 03:32:38 PST
Stack Trace ========= frame #0: WebCore`WebCore::InlineBox::renderer() const+0 frame #1: WebCore`WebCore::RenderDeprecatedFlexibleBox::applyLineClamp(WebCore::FlexBoxIterator&, bool)+0 frame #2: WebCore`WebCore::RenderDeprecatedFlexibleBox::layoutVerticalBox(bool)+0 frame #3: WebCore`WebCore::RenderDeprecatedFlexibleBox::layoutBlock(bool, WebCore::LayoutUnit)+0 frame #4: WebCore`WebCore::RenderBlock::layout()+0 frame #5: WebCore`WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0 frame #6: WebCore`WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0 frame #7: WebCore`WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0 frame #8: WebCore`WebCore::RenderBlock::layout()+0 frame #9: WebCore`WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0 frame #10: WebCore`WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0
Attachments
Crashing input (519.88 KB, text/html)
2020-11-03 03:33 PST, Ian Gilbert 		no flags
Details
Reduced crashing input (374 bytes, text/html)
2020-11-05 00:26 PST, Ian Gilbert 		no flags
Details
Patch (1.96 KB, patch)
2020-11-06 00:34 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (1.70 KB, patch)
2020-11-07 02:36 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (1.71 KB, patch)
2020-11-07 23:39 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2020-11-03 03:32:58 PST
<rdar://problem/70988379>
Ian Gilbert
Comment 2 2020-11-03 03:33:42 PST
Created attachment 413035 [details] Crashing input
Ryosuke Niwa
Comment 3 2020-11-03 13:09:13 PST
<rdar://problem/66166850>
Ian Gilbert
Comment 4 2020-11-05 00:26:51 PST
Created attachment 413267 [details] Reduced crashing input
Ryosuke Niwa
Comment 5 2020-11-05 00:27:41 PST
(In reply to Ian Gilbert from comment #4) > Created attachment 413267 [details] > Reduced crashing input Nice!
Rob Buis
Comment 6 2020-11-06 00:34:22 PST
Created attachment 413409 [details] Patch
EWS
Comment 7 2020-11-06 13:45:39 PST
Committed r269537: <https://trac.webkit.org/changeset/269537> All reviewed patches have been landed. Closing bug and clearing flags on attachment 413409 [details].
Ryosuke Niwa
Comment 8 2020-11-06 19:48:25 PST
Are there any security implications here? If not, we should move it to non-security component and add a test.
zalan
Comment 9 2020-11-06 20:35:17 PST
I don' think there is any.
Ryosuke Niwa
Comment 10 2020-11-06 20:49:17 PST
Can we add a test?
Rob Buis
Comment 11 2020-11-07 02:36:14 PST
Created attachment 413523 [details] Patch
Ryosuke Niwa
Comment 12 2020-11-07 16:05:59 PST
Comment on attachment 413523 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=413523&action=review > LayoutTests/fast/overflow/line-clamp-crash.html:6 > + if (window.testRunner) Remove the indentation here?
Rob Buis
Comment 13 2020-11-07 23:39:56 PST
Created attachment 413541 [details] Patch
EWS
Comment 14 2020-11-08 00:32:00 PST
Committed r269567: <https://trac.webkit.org/changeset/269567> All reviewed patches have been landed. Closing bug and clearing flags on attachment 413541 [details].
Ryosuke Niwa
Comment 15 2020-11-09 16:19:08 PST
*** Bug 218497 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.