Bug 232512 - Avoid corrupting the hashmap and subsequent nullptr deref by checking that the LayoutUnit is not a deleted value.
Summary: Avoid corrupting the hashmap and subsequent nullptr deref by checking that th...
Status: RESOLVED CONFIGURATION CHANGED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-10-29 15:19 PDT by John Cunningham
Modified: 2022-11-10 07:52 PST (History)
10 users (show)

See Also:


Attachments
Patch (2.73 KB, patch)
2021-10-29 15:20 PDT, John Cunningham
no flags Details | Formatted Diff | Diff
Patch (2.73 KB, patch)
2021-10-29 15:25 PDT, John Cunningham
no flags Details | Formatted Diff | Diff
Patch (4.11 KB, patch)
2021-11-02 14:23 PDT, John Cunningham
no flags Details | Formatted Diff | Diff
Patch (3.64 KB, patch)
2021-11-03 17:29 PDT, John Cunningham
ews-feeder: commit-queue-
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description John Cunningham 2021-10-29 15:19:33 PDT
Fix a null ptr deref by checking that newOffset is a valid key before adding to the HashMap.
Comment 1 John Cunningham 2021-10-29 15:20:05 PDT
Created attachment 442872 [details]
Patch
Comment 2 John Cunningham 2021-10-29 15:25:09 PDT
Created attachment 442873 [details]
Patch
Comment 3 Alexey Proskuryakov 2021-11-01 13:47:55 PDT
Comment on attachment 442873 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=442873&action=review

> Source/WebCore/ChangeLog:8
> +        No new tests (OOPS!).

Can a test be added for this?
Comment 4 John Cunningham 2021-11-02 14:23:30 PDT
Created attachment 443134 [details]
Patch
Comment 5 John Cunningham 2021-11-02 14:27:49 PDT
<rdar://84450793>
Comment 6 Wenson Hsieh 2021-11-02 14:47:29 PDT
Comment on attachment 443134 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=443134&action=review

It looks like the newly added test is failing on test runners.

> Source/WebCore/page/scrolling/ScrollSnapOffsetsInfo.cpp:291
> +        if (offsets.isValidKey(newOffset)) {

Nit - we generally prefer early returns over multiline if statements like this.
Comment 7 John Cunningham 2021-11-03 17:29:57 PDT
Created attachment 443260 [details]
Patch
Comment 8 Radar WebKit Bug Importer 2021-11-05 15:20:19 PDT
<rdar://problem/85087814>
Comment 9 youenn fablet 2022-11-10 07:52:01 PST
This patch is no longer necessary, closing bug.