[Webkit-unassigned] [Bug 230929] Nullptr deref when accessing m_value.calc in CSSPrimitiveValue::primitiveType()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Sep 29 18:26:46 PDT 2021


https://bugs.webkit.org/show_bug.cgi?id=230929

--- Comment #4 from Darin Adler <darin at apple.com> ---
Comment on attachment 439616
  --> https://bugs.webkit.org/attachment.cgi?id=439616
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=439616&action=review

>>> Source/WebCore/css/CSSPrimitiveValue.cpp:436
>>> +        m_value.calc = c.leakRef();
>> 
>> This specific change is either is a no-op or seems pretty dangerous. It will leave m_value.calc uninitialized if this is called with nullptr. That’s not *better* than setting it to nullptr.
> 
> 

Thinking further about this, even if we fix the true cause of the null CSSCalcValue, I suggest we also change this init function to either take Ref<CSSCalcValue> instead of RefPtr<CSSCalcValue>, like all the other init functions, or change it so that if it’s passed nullptr it returns early and does nothing, leaving the primitive unit type set to the default CSS_UNKNOWN.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210930/838c0a9f/attachment.htm>


More information about the webkit-unassigned mailing list