218499 – Null Ptr Deref @ WebCore::RenderDeprecatedFlexibleBox::applyLineClamp+0

Bug 218499 - Null Ptr Deref @ WebCore::RenderDeprecatedFlexibleBox::applyLineClamp+0

Summary: Null Ptr Deref @ WebCore::RenderDeprecatedFlexibleBox::applyLineClamp+0

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Layout and Rendering (show other bugs)
Version:	WebKit Local Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Rob Buis

URL:
Keywords:	InRadar

Duplicates (1):	218497 (view as bug list)
Depends on:
Blocks:

Reported:	2020-11-03 03:32 PST by Ian Gilbert
Modified:	2020-11-09 16:20 PST (History)
CC List:	11 users (show)

See Also:

Attachments
Crashing input (519.88 KB, text/html) 2020-11-03 03:33 PST, Ian Gilbert	no flags	Details
Reduced crashing input (374 bytes, text/html) 2020-11-05 00:26 PST, Ian Gilbert	no flags	Details
Patch (1.96 KB, patch) 2020-11-06 00:34 PST, Rob Buis	no flags	Details \| Formatted Diff \| Diff
Patch (1.70 KB, patch) 2020-11-07 02:36 PST, Rob Buis	no flags	Details \| Formatted Diff \| Diff
Patch (1.71 KB, patch) 2020-11-07 23:39 PST, Rob Buis	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ian Gilbert 2020-11-03 03:32:38 PST

Stack Trace
=========

frame #0: WebCore`WebCore::InlineBox::renderer() const+0
frame #1: WebCore`WebCore::RenderDeprecatedFlexibleBox::applyLineClamp(WebCore::FlexBoxIterator&, bool)+0
frame #2: WebCore`WebCore::RenderDeprecatedFlexibleBox::layoutVerticalBox(bool)+0
frame #3: WebCore`WebCore::RenderDeprecatedFlexibleBox::layoutBlock(bool, WebCore::LayoutUnit)+0
frame #4: WebCore`WebCore::RenderBlock::layout()+0
frame #5: WebCore`WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0
frame #6: WebCore`WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0
frame #7: WebCore`WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0
frame #8: WebCore`WebCore::RenderBlock::layout()+0
frame #9: WebCore`WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0
frame #10: WebCore`WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0

Comment 1 Radar WebKit Bug Importer 2020-11-03 03:32:58 PST

<rdar://problem/70988379>

Comment 2 Ian Gilbert 2020-11-03 03:33:42 PST

Created attachment 413035 [details]
Crashing input

Comment 3 Ryosuke Niwa 2020-11-03 13:09:13 PST

<rdar://problem/66166850>

Comment 4 Ian Gilbert 2020-11-05 00:26:51 PST

Created attachment 413267 [details]
Reduced crashing input

Comment 5 Ryosuke Niwa 2020-11-05 00:27:41 PST

(In reply to Ian Gilbert from comment #4)
> Created attachment 413267 [details]
> Reduced crashing input

Nice!

Comment 6 Rob Buis 2020-11-06 00:34:22 PST

Created attachment 413409 [details]
Patch

Comment 7 EWS 2020-11-06 13:45:39 PST

Committed r269537: <https://trac.webkit.org/changeset/269537>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 413409 [details].

Comment 8 Ryosuke Niwa 2020-11-06 19:48:25 PST

Are there any security implications here? If not, we should move it to non-security component and add a test.

Comment 9 zalan 2020-11-06 20:35:17 PST

I don' think there is any.

Comment 10 Ryosuke Niwa 2020-11-06 20:49:17 PST

Can we add a test?

Comment 11 Rob Buis 2020-11-07 02:36:14 PST

Created attachment 413523 [details]
Patch

Comment 12 Ryosuke Niwa 2020-11-07 16:05:59 PST

Comment on attachment 413523 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=413523&action=review

> LayoutTests/fast/overflow/line-clamp-crash.html:6
> +    if (window.testRunner)

Remove the indentation here?

Comment 13 Rob Buis 2020-11-07 23:39:56 PST

Created attachment 413541 [details]
Patch

Comment 14 EWS 2020-11-08 00:32:00 PST

Committed r269567: <https://trac.webkit.org/changeset/269567>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 413541 [details].

Comment 15 Ryosuke Niwa 2020-11-09 16:19:08 PST

*** Bug 218497 has been marked as a duplicate of this bug. ***