Check if documentElement needs re-attachment

A fuzzer case caused a crash in LayoutBoxModelObject::BackgroundTransfersToView because the body style was null, but the body still had a layout object since ViewportDefiningElementChanged is called after style recalc but before layout tree re-attachment. We had a guard for NeedsReattachLayoutTree on body for this, but not for the root element. I am not sure how the body can get a null ComputedStyle during recalc without the NeedsReattachLayoutTree being set, but checking the root element as well does fix the fuzzer crash. Bug: 1150916 Change-Id: Icd1368717a9bd97dbd5ef541733eeab4187ccf93 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2550549 Reviewed-by: Anders Hartvoll Ruud <andruud@chromium.org> Commit-Queue: Rune Lillesveen <futhark@chromium.org> Cr-Commit-Position: refs/heads/master@{#829625}
blueboxd · Nov 20, 2020 · 11553c1 · 11553c1
1 parent 5c8608a
commit 11553c1
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/third_party/blink/renderer/core/css/style_engine.cc b/third_party/blink/renderer/core/css/style_engine.cc
@@ -2112,6 +2112,10 @@ void StyleEngine::UpdateStyleAndLayoutTree() {
 }
 
 void StyleEngine::ViewportDefiningElementDidChange() {
+  // Guarded by if-test in UpdateStyleAndLayoutTree().
+  DCHECK(GetDocument().documentElement());
+  if (GetDocument().documentElement()->NeedsReattachLayoutTree())
+    return;
   HTMLBodyElement* body = GetDocument().FirstBodyElement();
   if (!body || body->NeedsReattachLayoutTree())
     return;