Bug 218504 - Crash in RenderBox::overrideContainingBlockContentHeight()
Summary: Crash in RenderBox::overrideContainingBlockContentHeight()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: WebKit Local Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Sergio Villar Senin
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-11-03 04:05 PST by Ian Gilbert
Modified: 2020-11-12 03:25 PST (History)
11 users (show)

See Also:

Attachments
Crashing input (492.69 KB, text/html)
2020-11-03 04:06 PST, Ian Gilbert 		no flags Details
Patch (1.93 KB, patch)
2020-11-09 02:12 PST, Sergio Villar Senin 		zalan: review+
Details | Formatted Diff | Diff
Test case (516 bytes, text/html)
2020-11-09 03:04 PST, Sergio Villar Senin 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ian Gilbert 2020-11-03 04:05:50 PST 
Crash found by fuzzing. Reproduces on WebKit revision 268052.

Stack Trace
=========

frame #0: /WebCore.framework/Versions/A/WebCore`WTF::KeyValuePair<WebCore::RenderBox const*, WTF::Optional<WebCore::LayoutUnit> >* WTF::HashTable<WebCore::RenderBox const*, WTF::KeyValuePair<WebCore::RenderBox const*, WTF::Optional<WebCore::LayoutUnit> >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WebCore::RenderBox const*, WTF::Optional<WebCore::LayoutUnit> > >, WTF::DefaultHash<WebCore::RenderBox const*>, WTF::HashMap<WebCore::RenderBox const*, WTF::Optional<WebCore::LayoutUnit>, WTF::DefaultHash<WebCore::RenderBox const*>, WTF::HashTraits<WebCore::RenderBox const*>, WTF::HashTraits<WTF::Optional<WebCore::LayoutUnit> > >::KeyValuePairTraits, WTF::HashTraits<WebCore::RenderBox const*> >::lookup<WTF::HashMapTranslatorAdapter<WTF::HashMap<WebCore::RenderBox const*, WTF::Optional<WebCore::LayoutUnit>, WTF::DefaultHash<WebCore::RenderBox const*>, WTF::HashTraits<WebCore::RenderBox const*>, WTF::HashTraits<WTF::Optional<WebCore::LayoutUnit> > >::KeyValuePairTraits, WTF::IdentityHashTranslator<WTF::HashMap<WebCore::RenderBox const*, WTF::Optional<WebCore::LayoutUnit>, WTF::DefaultHash<WebCore::RenderBox const*>, WTF::HashTraits<WebCore::RenderBox const*>, WTF::HashTraits<WTF::Optional<WebCore::LayoutUnit> > >::KeyValuePairTraits, WTF::DefaultHash<WebCore::RenderBox const*> > >, WebCore::RenderBox const*>(WebCore::RenderBox const* const&)+
frame #1: /WebCore.framework/Versions/A/WebCore`WTF::Optional<WebCore::LayoutUnit> WTF::HashMap<WebCore::RenderBox const*, WTF::Optional<WebCore::LayoutUnit>, WTF::DefaultHash<WebCore::RenderBox const*>, WTF::HashTraits<WebCore::RenderBox const*>, WTF::HashTraits<WTF::Optional<WebCore::LayoutUnit> > >::get<WTF::IdentityHashTranslator<WTF::HashMap<WebCore::RenderBox const*, WTF::Optional<WebCore::LayoutUnit>, WTF::DefaultHash<WebCore::RenderBox const*>, WTF::HashTraits<WebCore::RenderBox const*>, WTF::HashTraits<WTF::Optional<WebCore::LayoutUnit> > >::KeyValuePairTraits, WTF::DefaultHash<WebCore::RenderBox const*> >, WebCore::RenderBox const*>(WebCore::RenderBox const* const&) const+
frame #2: /WebCore.framework/Versions/A/WebCore`WTF::HashMap<WebCore::RenderBox const*, WTF::Optional<WebCore::LayoutUnit>, WTF::DefaultHash<WebCore::RenderBox const*>, WTF::HashTraits<WebCore::RenderBox const*>, WTF::HashTraits<WTF::Optional<WebCore::LayoutUnit> > >::get(WebCore::RenderBox const* const&) const+
frame #3: /WebCore.framework/Versions/A/WebCore`WebCore::RenderBox::overrideContainingBlockContentHeight() const+
frame #4: /WebCore.framework/Versions/A/WebCore`WebCore::RenderBoxModelObject::relativePositionOffset() const+
frame #5: /WebCore.framework/Versions/A/WebCore`WebCore::RenderBoxModelObject::offsetForInFlowPosition() const+
frame #6: /WebCore.framework/Versions/A/WebCore`WebCore::RenderBox::offsetFromContainer(WebCore::RenderElement&, WebCore::LayoutPoint const&, bool*) const+
frame #7: /WebCore.framework/Versions/A/WebCore`WebCore::RenderBox::mapLocalToContainer(WebCore::RenderLayerModelObject const*, WebCore::TransformState&, unsigned int, bool*) const+
frame #8: /WebCore.framework/Versions/A/WebCore`WebCore::RenderBox::mapLocalToContainer(WebCore::RenderLayerModelObject const*, WebCore::TransformState&, unsigned int, bool*) const+
frame #9: /WebCore.framework/Versions/A/WebCore`WebCore::RenderObject::localToContainerQuad(WebCore::FloatQuad const&, WebCore::RenderLayerModelObject const*, unsigned int, bool*) const+
frame #10: /WebCore.framework/Versions/A/WebCore`WebCore::RenderBox::outlineBoundsForRepaint(WebCore::RenderLayerModelObject const*, WebCore::RenderGeometryMap const*) const+
Comment 1 Ian Gilbert 2020-11-03 04:06:39 PST 
Created attachment 413041 [details]
Crashing input
Comment 2 Radar WebKit Bug Importer 2020-11-03 04:06:55 PST 
<rdar://problem/70989103>
Comment 3 Ryosuke Niwa 2020-11-03 13:11:42 PST 
<rdar://problem/70049851>
Comment 4 Sergio Villar Senin 2020-11-09 02:12:22 PST 
Created attachment 413570 [details]
Patch
Comment 5 Sergio Villar Senin 2020-11-09 03:04:13 PST 
Created attachment 413572 [details]
Test case

This is the test case I came up with in case we want to land it together.
Comment 6 Ryosuke Niwa 2020-11-09 15:56:05 PST 
Is there any security implication here? Or is it just a nullptr crash?
Comment 7 Ryosuke Niwa 2020-11-09 15:56:30 PST 
If there is no security implication, we should land the test as a part of the patch.
Comment 8 Sergio Villar Senin 2020-11-10 00:29:36 PST 
(In reply to Ryosuke Niwa from comment #6)
> Is there any security implication here? Or is it just a nullptr crash?

It's a nullptr dereference.
Comment 9 Ryosuke Niwa 2020-11-11 19:04:10 PST 
(In reply to Sergio Villar Senin from comment #8)
> (In reply to Ryosuke Niwa from comment #6)
> > Is there any security implication here? Or is it just a nullptr crash?
> 
> It's a nullptr dereference.

In that case, can we include the test in the patch?
Comment 10 Sergio Villar Senin 2020-11-12 03:25:49 PST 
Committed r269728: <https://trac.webkit.org/changeset/269728>