RESOLVED FIXED 218504
Crash in RenderBox::overrideContainingBlockContentHeight() 
https://bugs.webkit.org/show_bug.cgi?id=218504
Summary Crash in RenderBox::overrideContainingBlockContentHeight()
Ian Gilbert
Reported 2020-11-03 04:05:50 PST
Crash found by fuzzing. Reproduces on WebKit revision 268052. Stack Trace ========= frame #0: /WebCore.framework/Versions/A/WebCore`WTF::KeyValuePair<WebCore::RenderBox const*, WTF::Optional<WebCore::LayoutUnit> >* WTF::HashTable<WebCore::RenderBox const*, WTF::KeyValuePair<WebCore::RenderBox const*, WTF::Optional<WebCore::LayoutUnit> >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WebCore::RenderBox const*, WTF::Optional<WebCore::LayoutUnit> > >, WTF::DefaultHash<WebCore::RenderBox const*>, WTF::HashMap<WebCore::RenderBox const*, WTF::Optional<WebCore::LayoutUnit>, WTF::DefaultHash<WebCore::RenderBox const*>, WTF::HashTraits<WebCore::RenderBox const*>, WTF::HashTraits<WTF::Optional<WebCore::LayoutUnit> > >::KeyValuePairTraits, WTF::HashTraits<WebCore::RenderBox const*> >::lookup<WTF::HashMapTranslatorAdapter<WTF::HashMap<WebCore::RenderBox const*, WTF::Optional<WebCore::LayoutUnit>, WTF::DefaultHash<WebCore::RenderBox const*>, WTF::HashTraits<WebCore::RenderBox const*>, WTF::HashTraits<WTF::Optional<WebCore::LayoutUnit> > >::KeyValuePairTraits, WTF::IdentityHashTranslator<WTF::HashMap<WebCore::RenderBox const*, WTF::Optional<WebCore::LayoutUnit>, WTF::DefaultHash<WebCore::RenderBox const*>, WTF::HashTraits<WebCore::RenderBox const*>, WTF::HashTraits<WTF::Optional<WebCore::LayoutUnit> > >::KeyValuePairTraits, WTF::DefaultHash<WebCore::RenderBox const*> > >, WebCore::RenderBox const*>(WebCore::RenderBox const* const&)+ frame #1: /WebCore.framework/Versions/A/WebCore`WTF::Optional<WebCore::LayoutUnit> WTF::HashMap<WebCore::RenderBox const*, WTF::Optional<WebCore::LayoutUnit>, WTF::DefaultHash<WebCore::RenderBox const*>, WTF::HashTraits<WebCore::RenderBox const*>, WTF::HashTraits<WTF::Optional<WebCore::LayoutUnit> > >::get<WTF::IdentityHashTranslator<WTF::HashMap<WebCore::RenderBox const*, WTF::Optional<WebCore::LayoutUnit>, WTF::DefaultHash<WebCore::RenderBox const*>, WTF::HashTraits<WebCore::RenderBox const*>, WTF::HashTraits<WTF::Optional<WebCore::LayoutUnit> > >::KeyValuePairTraits, WTF::DefaultHash<WebCore::RenderBox const*> >, WebCore::RenderBox const*>(WebCore::RenderBox const* const&) const+ frame #2: /WebCore.framework/Versions/A/WebCore`WTF::HashMap<WebCore::RenderBox const*, WTF::Optional<WebCore::LayoutUnit>, WTF::DefaultHash<WebCore::RenderBox const*>, WTF::HashTraits<WebCore::RenderBox const*>, WTF::HashTraits<WTF::Optional<WebCore::LayoutUnit> > >::get(WebCore::RenderBox const* const&) const+ frame #3: /WebCore.framework/Versions/A/WebCore`WebCore::RenderBox::overrideContainingBlockContentHeight() const+ frame #4: /WebCore.framework/Versions/A/WebCore`WebCore::RenderBoxModelObject::relativePositionOffset() const+ frame #5: /WebCore.framework/Versions/A/WebCore`WebCore::RenderBoxModelObject::offsetForInFlowPosition() const+ frame #6: /WebCore.framework/Versions/A/WebCore`WebCore::RenderBox::offsetFromContainer(WebCore::RenderElement&, WebCore::LayoutPoint const&, bool*) const+ frame #7: /WebCore.framework/Versions/A/WebCore`WebCore::RenderBox::mapLocalToContainer(WebCore::RenderLayerModelObject const*, WebCore::TransformState&, unsigned int, bool*) const+ frame #8: /WebCore.framework/Versions/A/WebCore`WebCore::RenderBox::mapLocalToContainer(WebCore::RenderLayerModelObject const*, WebCore::TransformState&, unsigned int, bool*) const+ frame #9: /WebCore.framework/Versions/A/WebCore`WebCore::RenderObject::localToContainerQuad(WebCore::FloatQuad const&, WebCore::RenderLayerModelObject const*, unsigned int, bool*) const+ frame #10: /WebCore.framework/Versions/A/WebCore`WebCore::RenderBox::outlineBoundsForRepaint(WebCore::RenderLayerModelObject const*, WebCore::RenderGeometryMap const*) const+
Attachments
Crashing input (492.69 KB, text/html)
2020-11-03 04:06 PST, Ian Gilbert 		no flags
Details
Patch (1.93 KB, patch)
2020-11-09 02:12 PST, Sergio Villar Senin 		zalan: review+
DetailsFormatted DiffDiff
Test case (516 bytes, text/html)
2020-11-09 03:04 PST, Sergio Villar Senin 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Ian Gilbert
Comment 1 2020-11-03 04:06:39 PST
Created attachment 413041 [details] Crashing input
Radar WebKit Bug Importer
Comment 2 2020-11-03 04:06:55 PST
<rdar://problem/70989103>
Ryosuke Niwa
Comment 3 2020-11-03 13:11:42 PST
<rdar://problem/70049851>
Sergio Villar Senin
Comment 4 2020-11-09 02:12:22 PST
Created attachment 413570 [details] Patch
Sergio Villar Senin
Comment 5 2020-11-09 03:04:13 PST
Created attachment 413572 [details] Test case This is the test case I came up with in case we want to land it together.
Ryosuke Niwa
Comment 6 2020-11-09 15:56:05 PST
Is there any security implication here? Or is it just a nullptr crash?
Ryosuke Niwa
Comment 7 2020-11-09 15:56:30 PST
If there is no security implication, we should land the test as a part of the patch.
Sergio Villar Senin
Comment 8 2020-11-10 00:29:36 PST
(In reply to Ryosuke Niwa from comment #6) > Is there any security implication here? Or is it just a nullptr crash? It's a nullptr dereference.
Ryosuke Niwa
Comment 9 2020-11-11 19:04:10 PST
(In reply to Sergio Villar Senin from comment #8) > (In reply to Ryosuke Niwa from comment #6) > > Is there any security implication here? Or is it just a nullptr crash? > > It's a nullptr dereference. In that case, can we include the test in the patch?
Sergio Villar Senin
Comment 10 2020-11-12 03:25:49 PST
Committed r269728: <https://trac.webkit.org/changeset/269728>
Note You need to log in before you can comment on or make changes to this bug.