Renderinline::offsetForInFlowPositionedInline causes a null-deref of …

…a laybox on repaint. https://bugs.webkit.org/show_bug.cgi?id=255552. rdar://107952390. Reviewed by Alan Baradlay. Line layout codepath invalidation is triggered by JS which issues a repaint on the newly inserted renderer. The newly inserted renderer is used for geometry computations and which calls offsetForInFlowPositionedInline in case of inline boxes. This tries to access the lineBoxes assocaited with the renderers but they invalidated by previous repaints. This leads to null deref of the lineboxes. * LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint-expected.txt: Added. * LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint.html: Added. * Source/WebCore/rendering/RenderBlockFlow.cpp: (WebCore::RenderBlockFlow::isLineLayoutPresent const): * Source/WebCore/rendering/RenderBlockFlow.h: * Source/WebCore/rendering/RenderInline.cpp: (WebCore::RenderInline::offsetForInFlowPositionedInline const): Originally-landed-as: 259548.678@safari-7615-branch (7c662f5). rdar://107952390 Canonical link: https://commits.webkit.org/266452@main
WebKit · Jul 31, 2023 · 51d7c77 · 51d7c77
1 parent b09ccb2
commit 51d7c77
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 0 deletions.
diff --git a/LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint-expected.txt b/LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint-expected.txt
@@ -0,0 +1 @@
+PASS if no crash.
diff --git a/LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint.html b/LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint.html
@@ -0,0 +1,17 @@
+<style>
+.class7 { position: relative; }
+</style>
+<script>
+function test() {
+  if (window.testRunner)
+    testRunner.dumpAsText();
+
+  document.all[5].appendChild(htmlvar);
+  document.body.innerHTML = 'PASS if no crash.';
+}
+</script>
+<body onload=test()>
+<image src="data:image/gif;base64"></image>
+<table id="htmlvar" layout="fixed"></table>
+<font class="class7">
+<dialog open="true">
diff --git a/Source/WebCore/rendering/RenderInline.cpp b/Source/WebCore/rendering/RenderInline.cpp
@@ -894,6 +894,11 @@ LayoutSize RenderInline::offsetForInFlowPositionedInline(const RenderBox* child)
         inlinePosition = LayoutUnit::fromFloatRound(firstLineBox()->logicalLeft());
         blockPosition = firstLineBox()->logicalTop();
     } else if (LayoutIntegration::LineLayout::containing(*this)) {
+        if (!layoutBox()) {
+            // Repaint may be issued on subtrees during content mutation with newly inserted renderers.
+            ASSERT(needsLayout());
+            return LayoutSize();
+        }
         if (auto inlineBox = InlineIterator::firstInlineBoxFor(*this)) {
             inlinePosition = LayoutUnit::fromFloatRound(inlineBox->logicalLeftIgnoringInlineDirection());
             blockPosition = inlineBox->logicalTop();