Skip to content

Commit

Permalink
rdar://117803684 ([5d1fa25f3fa41fc3] ASAN_SEGV | WebCore::RenderBox::…
Browse files Browse the repository at this point in the history 
…repaintLayerRectsForImage; WebCore::RenderBox::imageChanged; WebCore::CachedImage::notifyObservers)

Reviewed by Matt Woodrow.

This checks for a non-unexpected case where an Element has no direct layer to render to.

* LayoutTests/fast/svg/svg_should_not_crash-expected.txt: Added.
* LayoutTests/fast/svg/svg_should_not_crash.html: Added.
* Source/WebCore/rendering/RenderBox.cpp:
(WebCore::RenderBox::repaintLayerRectsForImage):

Canonical link: https://commits.webkit.org/270487@main
  • Loading branch information
@mscottapple @mattwoodrow
mscottapple authored and mattwoodrow committed Nov 9, 2023
1 parent a6666b9 commit 64eea79
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 1 deletion.
3 changes: 3 additions & 0 deletions LayoutTests/fast/svg/svg_should_not_crash-expected.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
layer at (0,0) size 800x600
RenderView at (0,0) size 800x600
RenderSVGText {text}
13 changes: 13 additions & 0 deletions LayoutTests/fast/svg/svg_should_not_crash.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
<script>
function freememory() {
}
function jsfuzzer() {
var00016 = document.createElementNS("http://www.w3.org/2000/svg", "text");
var00046 = var00016.style;
var00046.setProperty("background", "url(data:image/gif;base64,R0lGODlhEAAQAMQAAORHHOVSKudfOulrSOp3WOyDZu6QdvCchPGolfO0o/XBs/fNwfjZ0frl3/zy7////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAkAABAALAAAAAAQABAAAAVVICSOZGlCQAosJ6mu7fiyZeKqNKToQGDsM8hBADgUXoGAiqhSvp5QAnQKGIgUhwFUYLCVDFCrKUE1lBavAViFIDlTImbKC5Gm2hB0SlBCBMQiB0UjIQA7) 450%");
var00146 = svgvar00001.getRootNode();
var00146.replaceChild(var00016,var00146.childNodes[17%var00146.childNodes.length]);
}
</script>
<body onload=jsfuzzer()>
<svg id="svgvar00001" clip-rule="evenodd">
3 changes: 2 additions & 1 deletion Source/WebCore/rendering/RenderBox.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2098,7 +2098,8 @@ bool RenderBox::repaintLayerRectsForImage(WrappedImagePtr image, const FillLayer
// (since root backgrounds cover the canvas, not just the element). If the root element
// is composited though, we need to issue the repaint to that root element.
auto documentElementRenderer = downcast<RenderBox>(document().documentElement()->renderer());
if (documentElementRenderer->layer()->isComposited())
auto rendererLayer = documentElementRenderer->layer();
if (rendererLayer && rendererLayer->isComposited())
layerRenderer = documentElementRenderer;
} else {
layerRenderer = this;
Expand Down

0 comments on commit 64eea79

Please sign in to comment.