mirror of
https://github.com/LadybirdBrowser/ladybird
synced 2026-04-26 01:35:08 +02:00
7b0d818f8e
perform_a_scroll_of_the_viewport() accesses paintable_box() without ensuring layout is up to date. This can lead to a null dereference if the paintable tree was torn down (e.g. by adding a dialog to the top layer via showModal()) between the last layout update and the scroll. One concrete path: Window::scroll() has an optimization that skips update_layout when scrolling to (0, 0), but still calls perform_a_scroll_of_the_viewport if the viewport is at a non-zero position. Fix by adding an update_layout call at the top of perform_a_scroll_of_the_viewport.
30 lines
969 B
HTML
30 lines
969 B
HTML
<!DOCTYPE html>
|
|
<style>
|
|
div {
|
|
height: 5000px;
|
|
}
|
|
</style>
|
|
<div></div>
|
|
<dialog id="d">Hello</dialog>
|
|
<script src="include.js"></script>
|
|
<script>
|
|
test(() => {
|
|
// Scroll down first. This triggers update_layout and sets viewport offset.
|
|
window.scrollTo(0, 100);
|
|
|
|
// showModal() adds the dialog to the top layer, which calls
|
|
// invalidate_layout_tree(), tearing down the paintable tree
|
|
// (setting m_paintable to null on the Document).
|
|
d.showModal();
|
|
|
|
// Scroll to (0, 0). Window::scroll has an optimization that skips
|
|
// update_layout when scrolling to (0, 0), but since the viewport is
|
|
// currently at y=100, it still calls perform_a_scroll_of_the_viewport.
|
|
// Without the update_layout call inside perform_a_scroll_of_the_viewport,
|
|
// this would null-deref paintable_box().
|
|
window.scrollTo(0, 0);
|
|
|
|
println("PASS (didn't crash)");
|
|
});
|
|
</script>
|