[Webkit-unassigned] [Bug 230929] Nullptr deref when accessing m_value.calc in CSSPrimitiveValue::primitiveType()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Sep 29 17:16:54 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=230929
--- Comment #3 from Gabriel Nava Marino <gnavamarino at apple.com> ---
(In reply to Darin Adler from comment #2)
> Comment on attachment 439616 [details]
> Patch
>
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=439616&action=review
>
> > Source/WebCore/ChangeLog:4
> > + Nullptr deref when accessing m_value.calc in CSSPrimitiveValue::primitiveType()
> > + https://bugs.webkit.org/show_bug.cgi?id=230929
>
> Overall this doesn’t look right. Type set to CSS_CALC, but calc pointer set
> to nullptr is an invalid state, and changing all the functions to support
> that isn’t the correct solution.
Thank you for pointing this out. After taking a closer look, I believe we can prevent this state (see below) by how we handle blending from LengthType::FitContent.
>
> Instead I suggest we focus on how we end up in this state and preventing us
> from doing so.
We end up in this bad state as a result of trying to blend from a FitContent LengthType to a Calculated LengthType as a result of the div animation.
The attempt to create a CSSCalcExpressionNode for LengthType::FitContent is not supported as evidenced by the switch statement falling through to a ASSERT_NOT_REACHED().
I will see if we can prevent this blending action much higher upstream before reaching this code.
>
> > Source/WebCore/css/CSSPrimitiveValue.cpp:436
> > - m_value.calc = c.leakRef();
> > + if (c)
> > + m_value.calc = c.leakRef();
>
> This specific change is either is a no-op or seems pretty dangerous. It will
> leave m_value.calc uninitialized if this is called with nullptr. That’s not
> *better* than setting it to nullptr.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210930/b049d086/attachment.htm>
More information about the webkit-unassigned
mailing list