From 11553c1392eaa2037e5bcd00db9d29f4163db57a Mon Sep 17 00:00:00 2001 From: Rune Lillesveen Date: Fri, 20 Nov 2020 12:16:25 +0000 Subject: [PATCH] Check if documentElement needs re-attachment A fuzzer case caused a crash in LayoutBoxModelObject::BackgroundTransfersToView because the body style was null, but the body still had a layout object since ViewportDefiningElementChanged is called after style recalc but before layout tree re-attachment. We had a guard for NeedsReattachLayoutTree on body for this, but not for the root element. I am not sure how the body can get a null ComputedStyle during recalc without the NeedsReattachLayoutTree being set, but checking the root element as well does fix the fuzzer crash. Bug: 1150916 Change-Id: Icd1368717a9bd97dbd5ef541733eeab4187ccf93 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2550549 Reviewed-by: Anders Hartvoll Ruud Commit-Queue: Rune Lillesveen Cr-Commit-Position: refs/heads/master@{#829625} --- third_party/blink/renderer/core/css/style_engine.cc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/third_party/blink/renderer/core/css/style_engine.cc b/third_party/blink/renderer/core/css/style_engine.cc index 3c77ef95b2b12f..4f340fad64d79b 100644 --- a/third_party/blink/renderer/core/css/style_engine.cc +++ b/third_party/blink/renderer/core/css/style_engine.cc @@ -2112,6 +2112,10 @@ void StyleEngine::UpdateStyleAndLayoutTree() { } void StyleEngine::ViewportDefiningElementDidChange() { + // Guarded by if-test in UpdateStyleAndLayoutTree(). + DCHECK(GetDocument().documentElement()); + if (GetDocument().documentElement()->NeedsReattachLayoutTree()) + return; HTMLBodyElement* body = GetDocument().FirstBodyElement(); if (!body || body->NeedsReattachLayoutTree()) return;