232512 – Avoid corrupting the hashmap and subsequent nullptr deref by checking that the LayoutUnit is not a deleted value.

RESOLVED CONFIGURATION CHANGED 232512

Avoid corrupting the hashmap and subsequent nullptr deref by checking that the LayoutUnit is not a deleted value.

https://bugs.webkit.org/show_bug.cgi?id=232512

Summary Avoid corrupting the hashmap and subsequent nullptr deref by checking that th...

John Cunningham

Reported 2021-10-29 15:19:33 PDT

Fix a null ptr deref by checking that newOffset is a valid key before adding to the HashMap.

Attachments
Patch (2.73 KB, patch) 2021-10-29 15:20 PDT, John Cunningham	no flags	Details Formatted Diff Diff
Patch (2.73 KB, patch) 2021-10-29 15:25 PDT, John Cunningham	no flags	Details Formatted Diff Diff
Patch (4.11 KB, patch) 2021-11-02 14:23 PDT, John Cunningham	no flags	Details Formatted Diff Diff
Patch (3.64 KB, patch) 2021-11-03 17:29 PDT, John Cunningham	ews-feeder: commit-queue-	Details Formatted Diff Diff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.

John Cunningham

Comment 1 2021-10-29 15:20:05 PDT

Created attachment 442872 [details] Patch

John Cunningham

Comment 2 2021-10-29 15:25:09 PDT

Created attachment 442873 [details] Patch

Alexey Proskuryakov

Comment 3 2021-11-01 13:47:55 PDT

Comment on attachment 442873 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=442873&action=review > Source/WebCore/ChangeLog:8 > + No new tests (OOPS!). Can a test be added for this?

John Cunningham

Comment 4 2021-11-02 14:23:30 PDT

Created attachment 443134 [details] Patch

John Cunningham

Comment 5 2021-11-02 14:27:49 PDT

<rdar://84450793>

Wenson Hsieh

Comment 6 2021-11-02 14:47:29 PDT

Comment on attachment 443134 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=443134&action=review It looks like the newly added test is failing on test runners. > Source/WebCore/page/scrolling/ScrollSnapOffsetsInfo.cpp:291 > + if (offsets.isValidKey(newOffset)) { Nit - we generally prefer early returns over multiline if statements like this.

John Cunningham

Comment 7 2021-11-03 17:29:57 PDT

Created attachment 443260 [details] Patch

Radar WebKit Bug Importer

Comment 8 2021-11-05 15:20:19 PDT

<rdar://problem/85087814>

youenn fablet

Comment 9 2022-11-10 07:52:01 PST

This patch is no longer necessary, closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution CONFIGURATION CHANGED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component New Bugs

Assignee

Nobody

Reported

2021-10-29 15:19 PDT

Modified

2022-11-10 07:52 PST History

CC List

10 users Show

URL

Keywords InRadar

Depends on

Blocks