commit 7fa28a6de0132d99bb674dc8cdbe5f367f1bc3c8
author commit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Fri Jan 07 19:34:59 2022 +0000
committer commit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Fri Jan 07 19:34:59 2022 +0000
tree 0a05a76c497b9636afb96f7deeb9f669b96c87af
parent 67b1f1792a710e8647e66ff932bfc8cc008168a5

nullptr deref in ComputeFloatOffsetForLineLayoutAdapter<FloatingObject::FloatLeft>::updateOffsetIfNeeded
https://bugs.webkit.org/show_bug.cgi?id=234018

Patch by Gabriel Nava Marino <gnavamarino@apple.com> on 2022-01-07
Reviewed by Darin Adler.

In RenderBlockFlow::subtreeContainsFloat and RenderBlockFlow::subtreeContainsFloats we now will
use a non-recursive iterator and return true when we find something, or then return false at the
end of the function.

* rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::subtreeContainsFloat const):
(WebCore::RenderBlockFlow::subtreeContainsFloats const):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@287771 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/rendering/RenderBlockFlow.cpp

diff --git a/Source/WebCore/rendering/RenderBlockFlow.cpp b/Source/WebCore/rendering/RenderBlockFlow.cpp
index ebeda9e..1eaf2d2 100644
--- a/Source/WebCore/rendering/RenderBlockFlow.cpp
+++ b/Source/WebCore/rendering/RenderBlockFlow.cpp
@@ -1951,26 +1951,34 @@
 
 bool RenderBlockFlow::subtreeContainsFloat(RenderBox& renderer) const
 {
-    bool contains = m_floatingObjects && m_floatingObjects->set().contains<FloatingObjectHashTranslator>(renderer);
-    for (auto& block : childrenOfType<RenderBlock>(*this)) {
+    if (containsFloat(renderer))
+        return true;
+
+    for (auto& block : descendantsOfType<RenderBlock>(const_cast<RenderBlockFlow&>(*this))) {
         if (!is<RenderBlockFlow>(block))
             continue;
         auto& blockFlow = downcast<RenderBlockFlow>(block);
-        contains |= blockFlow.subtreeContainsFloat(renderer);
+        if (blockFlow.containsFloat(renderer))
+            return true;
     }
-    return contains;
+
+    return false;
 }
 
 bool RenderBlockFlow::subtreeContainsFloats() const
 {
-    bool contains = m_floatingObjects && !m_floatingObjects->set().isEmpty();
-    for (auto& block : childrenOfType<RenderBlock>(*this)) {
+    if (containsFloats())
+        return true;
+
+    for (auto& block : descendantsOfType<RenderBlock>(const_cast<RenderBlockFlow&>(*this))) {
         if (!is<RenderBlockFlow>(block))
             continue;
         auto& blockFlow = downcast<RenderBlockFlow>(block);
-        contains |= blockFlow.subtreeContainsFloats();
+        if (blockFlow.containsFloats())
+            return true;
     }
-    return contains;
+
+    return false;
 }
 
 void RenderBlockFlow::styleDidChange(StyleDifference diff, const RenderStyle* oldStyle)