Bug 234375 - null ptr deref in WebCore::findPlaceForCounter
Summary: null ptr deref in WebCore::findPlaceForCounter
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Gabriel Nava Marino
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-12-15 18:02 PST by Gabriel Nava Marino
Modified: 2021-12-17 10:04 PST (History)
10 users (show)

See Also:

Attachments
Patch (3.82 KB, patch)
2021-12-15 18:14 PST, Gabriel Nava Marino 		no flags Details | Formatted Diff | Diff
Patch (3.90 KB, patch)
2021-12-16 10:45 PST, Gabriel Nava Marino 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Gabriel Nava Marino 2021-12-15 18:02:27 PST 
Since parentOrPseudoHostElement can return a nullptr, we need to check for that before trying to access the renderer() of the Element object it returns.
Comment 1 Gabriel Nava Marino 2021-12-15 18:13:02 PST 
<rdar://problem/86518846>
Comment 2 Gabriel Nava Marino 2021-12-15 18:14:38 PST 
Created attachment 447305 [details]
Patch
Comment 3 zalan 2021-12-15 18:47:04 PST 
Comment on attachment 447305 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=447305&action=review

> Source/WebCore/ChangeLog:11
> +        Since parentOrPseudoHostElement can return a nullptr, we need to check for nullptr before trying to
> +        access the renderer() of the Element pointer it returns.

Could you explain why parentOrPseudoHostElement() returns nullptr in here?

> Source/WebCore/rendering/RenderCounter.cpp:315
> +                        auto parent = parentOrPseudoHostElement(*currentRenderer);

I'd write it like auto* parent = parentOrPseudoHostElement(*currentRenderer);
Comment 4 Gabriel Nava Marino 2021-12-16 10:45:23 PST 
Created attachment 447372 [details]
Patch
Comment 5 EWS 2021-12-17 10:03:59 PST 
Committed r287194 (245361@main): <https://commits.webkit.org/245361@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 447372 [details].