Context Navigation

Changeset 255113 in webkit

Timestamp:

Jan 24, 2020 5:37:20 PM (4 years ago)

Author:

commit-queue@webkit.org

Message:

Null Ptr Deref READ @ WebCore::RenderMultiColumnFlow::lastMultiColumnSet const
https://bugs.webkit.org/show_bug.cgi?id=206106

Patch by Jack Lee <Jack Lee> on 2020-01-24
Reviewed by Ryosuke Niwa.

Could not write a reproducible fast test case for this.

(WebCore::RenderMultiColumnFlow::lastMultiColumnSet const):

(WebCore::RenderTreeBuilder::MultiColumn::processPossibleSpannerDescendant):

Location:

trunk/Source/WebCore

Files:

-                      r255108
+                      r255113
+-01-24  Jack Lee  <shihchieh_lee@apple.com>
+        Null Ptr Deref READ @ WebCore::RenderMultiColumnFlow::lastMultiColumnSet const
+        https://bugs.webkit.org/show_bug.cgi?id=206106
+        Reviewed by Ryosuke Niwa.
+        Could not write a reproducible fast test case for this.
+        * rendering/RenderMultiColumnFlow.cpp:
+        (WebCore::RenderMultiColumnFlow::lastMultiColumnSet const):
+        * rendering/updating/RenderTreeBuilderMultiColumn.cpp:
+        (WebCore::RenderTreeBuilder::MultiColumn::processPossibleSpannerDescendant):
 -01-24  Wenson Hsieh  <wenson_hsieh@apple.com>

r248846	r255113
75	75	RenderMultiColumnSet* RenderMultiColumnFlow::lastMultiColumnSet() const
76	76	{
	77	ASSERT(multiColumnBlockFlow());
	78
77	79	for (RenderObject* sibling = multiColumnBlockFlow()->lastChild(); sibling; sibling = sibling->previousSibling()) {
78	80	if (is<RenderMultiColumnSet>(*sibling))

-                      r253290
+                      r255113
     RenderObject* insertBeforeMulticolChild = nullptr;
     RenderObject* nextDescendant = &descendant;
+    if (!multicolContainer)
+        return nullptr;
     if (isValidColumnSpanner(flow, descendant)) {

Note: See TracChangeset for help on using the changeset viewer.