Changeset 255083 in webkit


Ignore:
Timestamp:
Jan 24, 2020 11:12:46 AM (4 years ago)
Author:
commit-queue@webkit.org
Message:

Nullptr deref in WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation when an element is inserted before legend under multi-column layout.
https://bugs.webkit.org/show_bug.cgi?id=206109

Patch by Jack Lee <Jack Lee> on 2020-01-24
Reviewed by Antti Koivisto.

Source/WebCore:

Test: fast/forms/fieldset/fieldset-crash-insert-before-legend-under-multicol.html

  • rendering/updating/RenderTreeBuilderBlockFlow.cpp:

(WebCore::RenderTreeBuilder::BlockFlow::attach):

LayoutTests:

  • fast/forms/fieldset/fieldset-crash-insert-before-legend-under-multicol-expected.txt: Added.
  • fast/forms/fieldset/fieldset-crash-insert-before-legend-under-multicol.html: Added.
Location:
trunk
Files:
2 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r255079 r255083  
     12020-01-24  Jack Lee  <shihchieh_lee@apple.com>
     2
     3        Nullptr deref in WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation when an element is inserted before legend under multi-column layout.
     4        https://bugs.webkit.org/show_bug.cgi?id=206109
     5
     6        Reviewed by Antti Koivisto.
     7
     8        * fast/forms/fieldset/fieldset-crash-insert-before-legend-under-multicol-expected.txt: Added.
     9        * fast/forms/fieldset/fieldset-crash-insert-before-legend-under-multicol.html: Added.
     10
    1112020-01-24  Lauro Moura  <lmoura@igalia.com>
    212
  • trunk/Source/WebCore/ChangeLog

    r255081 r255083  
     12020-01-24  Jack Lee  <shihchieh_lee@apple.com>
     2
     3        Nullptr deref in WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation when an element is inserted before legend under multi-column layout.
     4        https://bugs.webkit.org/show_bug.cgi?id=206109
     5
     6        Reviewed by Antti Koivisto.
     7
     8        Test: fast/forms/fieldset/fieldset-crash-insert-before-legend-under-multicol.html
     9
     10        * rendering/updating/RenderTreeBuilderBlockFlow.cpp:
     11        (WebCore::RenderTreeBuilder::BlockFlow::attach):
     12
    1132020-01-24  Per Arne Vollan  <pvollan@apple.com>
    214
  • trunk/Source/WebCore/rendering/updating/RenderTreeBuilderBlockFlow.cpp

    r235521 r255083  
    4040void RenderTreeBuilder::BlockFlow::attach(RenderBlockFlow& parent, RenderPtr<RenderObject> child, RenderObject* beforeChild)
    4141{
    42     if (parent.multiColumnFlow() && (!parent.isFieldset() || !child->isLegend()))
     42    if (parent.multiColumnFlow() && (!parent.isFieldset() || !child->isLegend())) {
     43        if (parent.isFieldset() && beforeChild && beforeChild->isLegend())
     44            return m_builder.blockBuilder().attach(*parent.multiColumnFlow(), WTFMove(child), nullptr);
     45
    4346        return m_builder.attach(*parent.multiColumnFlow(), WTFMove(child), beforeChild);
     47    }
     48
    4449    auto* beforeChildOrPlaceholder = beforeChild;
    4550    if (auto* containingFragmentedFlow = parent.enclosingFragmentedFlow())
Note: See TracChangeset for help on using the changeset viewer.