281243 – Don't repaint SVG elements not in tree and check for nullptr before derefencing enclosing layer

NEW 281243

Don't repaint SVG elements not in tree and check for nullptr before derefencing enclosing layer

https://bugs.webkit.org/show_bug.cgi?id=281243

Summary Don't repaint SVG elements not in tree and check for nullptr before derefenci...

Pedro Varangot

Reported 2024-10-10 13:17:08 PDT

Found via fuzzing. When using some HTML elements inside a filter element on svg, and modifying the hierarchy with a script, a RenderElement with a null enclosingLayer can dereference a null pointer.

Attachments
Add attachment proposed patch, testcase, etc.

Pedro Varangot

Comment 1 2024-10-10 13:22:37 PDT

<rdar://problem/137178583>

Pedro Varangot

Comment 2 2024-10-10 13:48:37 PDT

Pull request: https://github.com/WebKit/WebKit/pull/34995

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version Other

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebCore Misc.

Assignee

Nobody

Reported

2024-10-10 13:17 PDT

Modified

2024-10-14 10:33 PDT History

CC List

2 users Show

URL

Keywords InRadar

Depends on

Blocks