jsc_fuz/wktr: null ptr deref in WebCore::SVGResources::buildCachedRes…

…ources(WebCore::RenderElement const&, WebCore::RenderStyle const&) + 368 (SVGResources.cpp:251)

https://bugs.webkit.org/show_bug.cgi?id=263224
rdar://116386835.

Reviewed by Chris Dumez.

Modified SVGResources::buildCachedResources API in order to consider passed svg with NULL mask-image.

Test : LayoutTests/svg/crash-svg-null-maskimage.html

* Source/WebCore/rendering/svg/SVGResources.cpp : Modified to check if the maskImage variable is not NULL before dereferrencing.
* LayoutTests/svg/crash-svg-null-maskimage.html : Added test case.
* LayoutTests/svg/crash-svg-null-maskimage-expected.txt : Added test expected file.

Canonical link: https://commits.webkit.org/269561@main

LayoutTests/svg/crash-svg-null-maskimage-expected.txt

@@ -0,0 +1 @@
+This test passes if it doesn't crash.

LayoutTests/svg/crash-svg-null-maskimage.html

@@ -0,0 +1,8 @@
+<body>
+<svg style="mask-image: none, url()"></svg>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<p>This test passes if it doesn't crash.</p>
+</body>

Source/WebCore/rendering/svg/SVGResources.cpp

@@ -254,7 +254,7 @@ std::unique_ptr<SVGResources> SVGResources::buildCachedResources(const RenderEle
         if (style.hasPositionedMask()) {
             // FIXME: We should support all the values in the CSS mask property, but for now just use the first mask-image if it's a reference.
             auto* maskImage = style.maskImage();
-            auto reresolvedURL = maskImage->reresolvedURL(document);
+            auto reresolvedURL = maskImage ? maskImage->reresolvedURL(document) : URL();
 
             if (!reresolvedURL.isEmpty()) {
                 auto resourceID = SVGURIReference::fragmentIdentifierFromIRIString(reresolvedURL.string(), document);