File webkit2gtk3-CVE-2024-40782.patch of Package webkit2gtk3.35210
From 617f1c4c9c7f1525abc47967d4c7734fed3ff525 Mon Sep 17 00:00:00 2001
From: Antti Koivisto <antti@apple.com>
Date: Mon, 20 May 2024 11:36:34 -0700
Subject: [PATCH] Cherry-pick 279005@main (c2f9092d3a8e).
https://bugs.webkit.org/show_bug.cgi?id=268770
Nullptr crash due to `display:block ruby` and continuations
https://bugs.webkit.org/show_bug.cgi?id=268770
rdar://121960530
Reviewed by Alan Baradlay.
Continuations may end up splitting anonymous 'display:ruby' box inside block ruby.
* LayoutTests/fast/ruby/ruby-block-continuation-crash-expected.txt: Added.
* LayoutTests/fast/ruby/ruby-block-continuation-crash.html: Added.
* Source/WebCore/rendering/updating/RenderTreeBuilderRuby.cpp:
(WebCore::RenderTreeBuilder::Ruby::findOrCreateParentForStyleBasedRubyChild):
Find the correct anonymous box from nested continuation structure.
Canonical link: https://commits.webkit.org/279005@main
Canonical link: https://commits.webkit.org/274313.286@webkitglib/2.44
---
.../ruby/ruby-block-continuation-crash-expected.txt | 3 +++
.../fast/ruby/ruby-block-continuation-crash.html | 9 +++++++++
.../rendering/updating/RenderTreeBuilderRuby.cpp | 13 ++++++++++---
3 files changed, 22 insertions(+), 3 deletions(-)
create mode 100644 LayoutTests/fast/ruby/ruby-block-continuation-crash-expected.txt
create mode 100644 LayoutTests/fast/ruby/ruby-block-continuation-crash.html
diff --git a/LayoutTests/fast/ruby/ruby-block-continuation-crash-expected.txt b/LayoutTests/fast/ruby/ruby-block-continuation-crash-expected.txt
new file mode 100644
index 000000000000..f85a15505104
--- /dev/null
+++ b/LayoutTests/fast/ruby/ruby-block-continuation-crash-expected.txt
@@ -0,0 +1,3 @@
+base with
+forced
+line break annotation This test passes if it doesn't crash.
diff --git a/LayoutTests/fast/ruby/ruby-block-continuation-crash.html b/LayoutTests/fast/ruby/ruby-block-continuation-crash.html
new file mode 100644
index 000000000000..3f762d4236ea
--- /dev/null
+++ b/LayoutTests/fast/ruby/ruby-block-continuation-crash.html
@@ -0,0 +1,9 @@
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<ruby style="position: absolute">
+ <rb><span>base with <div>forced</div> line break</span></rb>
+ <rt>annotation</rt>
+</ruby>
+This test passes if it doesn't crash.
diff --git a/Source/WebCore/rendering/updating/RenderTreeBuilderRuby.cpp b/Source/WebCore/rendering/updating/RenderTreeBuilderRuby.cpp
index 62d8b6803323..9f7634612822 100644
--- a/Source/WebCore/rendering/updating/RenderTreeBuilderRuby.cpp
+++ b/Source/WebCore/rendering/updating/RenderTreeBuilderRuby.cpp
@@ -271,10 +271,17 @@ RenderElement& RenderTreeBuilder::Ruby::findOrCreateParentForStyleBasedRubyChild
if (!child.isRenderText() && child.style().display() == DisplayType::Ruby && parent.style().display() == DisplayType::RubyBlock)
return parent;
- if (parent.style().display() == DisplayType::RubyBlock && parent.firstChild()) {
+ if (parent.style().display() == DisplayType::RubyBlock) {
// See if we have an anonymous ruby box already.
- ASSERT(parent.firstChild()->style().display() == DisplayType::Ruby);
- return downcast<RenderElement>(*parent.firstChild());
+ // FIXME: It should be the immediate child but continuations can break this assumption.
+ for (CheckedPtr first = parent.firstChild(); first; first = first->firstChildSlow()) {
+ if (!first->isAnonymous()) {
+ ASSERT_NOT_REACHED();
+ break;
+ }
+ if (first->style().display() == DisplayType::Ruby)
+ return downcast<RenderElement>(*first);
+ }
}
if (parent.style().display() != DisplayType::Ruby) {
--
2.45.2
