[Webkit-unassigned] [Bug 253165] New: Make sure child is a RenderElement before trying to pass it into shouldChildInlineMarginContributeToContainerIntrinsicSize in RenderBlock::computeBlockPreferredLogicalWidths

Wed Mar 1 09:54:34 PST 2023

https://bugs.webkit.org/show_bug.cgi?id=253165

            Bug ID: 253165
           Summary: Make sure child is a RenderElement before trying to
                    pass it into
                    shouldChildInlineMarginContributeToContainerIntrinsicS
                    ize in RenderBlock::computeBlockPreferredLogicalWidths
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sgill26 at apple.com
                CC: bfulgham at webkit.org, simon.fraser at apple.com,
                    zalan at apple.com

The assumption about this code currently is that child cannot be a RenderText within RenderBlock::computeBlockPreferredLogicalWidths. That assumption is wrong and can lead to a nullptr dereference. We should check the result of the cast before trying to pass it in

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230301/d28ae2a5/attachment.htm>