Null deref crash in DOMWindow::scrollBy after evoking updateLayoutIgnorePendingStyles...
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 29 Jan 2020 03:01:58 +0000 (03:01 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 29 Jan 2020 03:01:58 +0000 (03:01 +0000)
https://bugs.webkit.org/show_bug.cgi?id=206099

Patch by Pinki Gyanchandani <pgyanchandani@apple.com> on 2020-01-28
Reviewed by Ryosuke Niwa

Source/WebCore:

Added null pointer check for frame in scrollBy function before usage.

Test: fast/dom/Window/window-scroll-ignore-null-frame.html

* page/DOMWindow.cpp:
(WebCore::DOMWindow::scrollBy const):

LayoutTests:

Added a regression test to verify the fix.

* fast/dom/Window/window-scroll-ignore-null-frame.html: Added.
* fast/dom/Window/window-scroll-ignore-null-frame-expected.txt: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@255334 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/dom/Window/window-scroll-ignore-null-frame-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/Window/window-scroll-ignore-null-frame.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/page/DOMWindow.cpp

index 2a4215e..41e57eb 100644 (file)
@@ -1,3 +1,15 @@
+2020-01-28  Pinki Gyanchandani  <pgyanchandani@apple.com>
+
+        Null deref crash in DOMWindow::scrollBy after evoking updateLayoutIgnorePendingStylesheets()
+        https://bugs.webkit.org/show_bug.cgi?id=206099
+
+        Reviewed by Ryosuke Niwa
+
+        Added a regression test to verify the fix.
+
+        * fast/dom/Window/window-scroll-ignore-null-frame.html: Added.
+        * fast/dom/Window/window-scroll-ignore-null-frame-expected.txt: Added.
+
 2020-01-28  Zalan Bujtas  <zalan@apple.com>
 
         REGRESSION: [ Mac ] fast/hidpi/image-srcset-relative-svg-canvas-2x.html is a flaky failure
diff --git a/LayoutTests/fast/dom/Window/window-scroll-ignore-null-frame-expected.txt b/LayoutTests/fast/dom/Window/window-scroll-ignore-null-frame-expected.txt
new file mode 100644 (file)
index 0000000..6b6328c
--- /dev/null
@@ -0,0 +1,4 @@
+Testcase passes if there is no crash
+
+
diff --git a/LayoutTests/fast/dom/Window/window-scroll-ignore-null-frame.html b/LayoutTests/fast/dom/Window/window-scroll-ignore-null-frame.html
new file mode 100644 (file)
index 0000000..f6a61f1
--- /dev/null
@@ -0,0 +1,24 @@
+<html>
+<script>
+
+function runTest() {
+    if (window.testRunner)
+        testRunner.dumpAsText();
+
+    select1.appendChild(inputParent);
+    input1.autofocus = true;
+    input1.setSelectionRange(1, 0);
+    document.body.appendChild(input1);
+    frame1.contentWindow.scrollBy({left: 1, top: 0});
+}
+
+</script>
+
+<body onload=runTest()>
+<iframe id="frame1"></iframe>
+<div style="display: none" id="inputParent"><input id="input1"></div>
+<select id="select1" onblur="inputParent.appendChild(frame1)"></select>
+<p>Testcase passes if there is no crash </p>
+
+</body>
+</html>
index a9aa8db..ccc0b1e 100644 (file)
@@ -1,3 +1,17 @@
+2020-01-28  Pinki Gyanchandani  <pgyanchandani@apple.com>
+
+        Null deref crash in DOMWindow::scrollBy after evoking updateLayoutIgnorePendingStylesheets()
+        https://bugs.webkit.org/show_bug.cgi?id=206099
+
+        Reviewed by Ryosuke Niwa
+
+        Added null pointer check for frame in scrollBy function before usage.
+
+        Test: fast/dom/Window/window-scroll-ignore-null-frame.html
+
+        * page/DOMWindow.cpp:
+        (WebCore::DOMWindow::scrollBy const):
+
 2020-01-28  Chris Dumez  <cdumez@apple.com>
 
         REGRESSION (r252064): [ Mac iOS ] storage/websql/statement-error-callback.html is timing out flakily
index 463895b..0aa80cb 100644 (file)
@@ -1683,7 +1683,11 @@ void DOMWindow::scrollBy(const ScrollToOptions& options) const
 
     document()->updateLayoutIgnorePendingStylesheets();
 
-    FrameView* view = frame()->view();
+    auto* frame = this->frame();
+    if (!frame)
+        return;
+
+    auto view = makeRefPtr(frame->view());
     if (!view)
         return;