Cherry-pick 272448.252@safari-7618-branch (a797780). https://bugs.web…

…kit.org/show_bug.cgi?id=265820 NULL pointer : crash under RenderLayerCompositor::scrollableAreaForScrollingNodeID() https://bugs.webkit.org/show_bug.cgi?id=265820 rdar://118424482. Reviewed by Simon Fraser. Null RenderLayer pointer in RenderLayerCompositor::scrollableAreaForScrollingNodeID(). As the RenderLayerCompositor has a HashMap which provides a WeakPtr to RenderLayer but the validity of this object is not checked before using. * LayoutTests/fast/rendering/render-compositor-null-layer-crash-expected.txt: Added test expected file. * LayoutTests/fast/rendering/render-compositor-null-layer-crash.html: Added test case. * Source/WebCore/rendering/RenderLayerCompositor.cpp: (WebCore::RenderLayerCompositor::scrollableAreaForScrollingNodeID const): Checked validity of WeakPtr to RenderLayer before accessing it. Canonical link: https://commits.webkit.org/272448.252@safari-7618-branch Canonical link: https://commits.webkit.org/274313.68@webkitglib/2.44
WebKit · Mar 11, 2024 · 8240207 · 8240207
1 parent 1e60cb5
commit 8240207
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 1 deletion.
diff --git a/LayoutTests/fast/rendering/render-compositor-null-layer-crash-expected.txt b/LayoutTests/fast/rendering/render-compositor-null-layer-crash-expected.txt
@@ -0,0 +1,3 @@
+This test passes if it doesn't crash.
+
+
diff --git a/LayoutTests/fast/rendering/render-compositor-null-layer-crash.html b/LayoutTests/fast/rendering/render-compositor-null-layer-crash.html
@@ -0,0 +1,35 @@
+<script>
+function gc() {
+ {
+ }
+}
+function main() {
+var x29 = document.getElementById("x29");
+try { x22.selectionEnd = 87; } catch { }
+try { x29.prepend(x7); } catch { }
+}
+function f4() {
+var x37 = document.getElementById("x37");
+try { v30 = x7.contentDocument; } catch { }
+try { v30.all[98 % v30.all.length].appendChild(x3); } catch { }
+try { x7.data = "x"; } catch { }
+try { x37.height = "1em"; } catch { }
+}
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<body onload="main()">
+    <p>This test passes if it doesn't crash.</p>
+<h4 onfocusin="f4()" part="part0">
+<input id="x22" type="url">
+<small id="x3" itemscope="">
+<a id="x29" href="x">
+<h2 webkitdropzone="link">
+</h2>
+<object id="x37" standby="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">
+</object>
+</small>
+</style>
+</details>
+<object id="x7" data="x">
+</body>
diff --git a/Source/WebCore/rendering/RenderLayerCompositor.cpp b/Source/WebCore/rendering/RenderLayerCompositor.cpp
@@ -5473,7 +5473,10 @@ ScrollableArea* RenderLayerCompositor::scrollableAreaForScrollingNodeID(Scrollin
     if (nodeID == m_renderView.frameView().scrollingNodeID())
         return &m_renderView.frameView();
 
-    return m_scrollingNodeToLayerMap.get(nodeID)->scrollableArea();
+    if (auto weakLayer = m_scrollingNodeToLayerMap.get(nodeID))
+        return weakLayer->scrollableArea();
+
+    return nullptr;
 }
 
 void RenderLayerCompositor::willRemoveScrollingLayerWithBacking(RenderLayer& layer, RenderLayerBacking& backing)