Don't crash when RenderStyle is NULL for elements like optgroup when

rendering https://bugs.webkit.org/show_bug.cgi?id=248575 Reviewed by Simon Fraser. * LayoutTests/fast/rendering/render-style-null-optgroup-crash-expected.txt: Added. * LayoutTests/fast/rendering/render-style-null-optgroup-crash.html: Added. * Source/WebCore/rendering/RenderListBox.cpp: (WebCore::RenderListBox::paintItemForeground): (WebCore::RenderListBox::paintItemBackground): Canonical link: https://commits.webkit.org/257295@main
Constellation · Dec 2, 2022 · 3244603 · 3244603
1 parent cf600d6
commit 3244603
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 8 deletions.
diff --git a/LayoutTests/fast/rendering/render-style-null-optgroup-crash-expected.txt b/LayoutTests/fast/rendering/render-style-null-optgroup-crash-expected.txt
@@ -0,0 +1 @@
+PASS
diff --git a/LayoutTests/fast/rendering/render-style-null-optgroup-crash.html b/LayoutTests/fast/rendering/render-style-null-optgroup-crash.html
@@ -0,0 +1,22 @@
+<style>
+.class4:optional,*:focus-within { auto;display: contents }
+</style>
+<script>
+function f1() {
+    try { x = document.caretRangeFromPoint(); } catch { }
+    try { y = x.commonAncestorContainer; } catch { }
+    try { z.selectionDirection = "backward"; } catch { }
+    try { y.innerHTML = "PASS"; } catch { }
+}
+
+if (window.testRunner) {
+    testRunner.dumpAsText();
+}
+
+</script>
+<iframe translate="yes">
+</iframe>
+<details open="" onfocusin="f1()">
+<select autofocus="" multiple="" required="">
+<optgroup webkitdropzone="copy">
+<textarea id="z" rows="1024">
diff --git a/Source/WebCore/rendering/RenderListBox.cpp b/Source/WebCore/rendering/RenderListBox.cpp
@@ -451,9 +451,11 @@ void RenderListBox::paintItemForeground(PaintInfo& paintInfo, const LayoutPoint&
     const auto& listItems = selectElement().listItems();
     RefPtr listItemElement = listItems[listIndex].get();
 
-    auto& itemStyle = *listItemElement->computedStyle();
+    auto itemStyle = listItemElement->computedStyle();
+    if (!itemStyle)
+        return;
 
-    if (itemStyle.visibility() == Visibility::Hidden)
+    if (itemStyle->visibility() == Visibility::Hidden)
         return;
 
     String itemText;
@@ -467,7 +469,7 @@ void RenderListBox::paintItemForeground(PaintInfo& paintInfo, const LayoutPoint&
     if (itemText.isNull())
         return;
 
-    Color textColor = itemStyle.visitedDependentColorWithColorFilter(CSSPropertyColor);
+    Color textColor = itemStyle->visitedDependentColorWithColorFilter(CSSPropertyColor);
     if (isOptionElement && downcast<HTMLOptionElement>(*listItemElement).selected()) {
         if (frame().selection().isFocusedAndActive() && document().focusedElement() == &selectElement())
             textColor = theme().activeListBoxSelectionForegroundColor(styleColorOptions());
@@ -478,10 +480,10 @@ void RenderListBox::paintItemForeground(PaintInfo& paintInfo, const LayoutPoint&
 
     paintInfo.context().setFillColor(textColor);
 
-    TextRun textRun(itemText, 0, 0, ExpansionBehavior::allowRightOnly(), itemStyle.direction(), isOverride(itemStyle.unicodeBidi()), true);
+    TextRun textRun(itemText, 0, 0, ExpansionBehavior::allowRightOnly(), itemStyle->direction(), isOverride(itemStyle->unicodeBidi()), true);
     FontCascade itemFont = style().fontCascade();
     LayoutRect r = itemBoundingBoxRect(paintOffset, listIndex);
-    r.move(itemOffsetForAlignment(textRun, &itemStyle, itemFont, r));
+    r.move(itemOffsetForAlignment(textRun, itemStyle, itemFont, r));
 
     if (is<HTMLOptGroupElement>(*listItemElement)) {
         auto description = itemFont.fontDescription();
@@ -498,7 +500,9 @@ void RenderListBox::paintItemBackground(PaintInfo& paintInfo, const LayoutPoint&
 {
     const auto& listItems = selectElement().listItems();
     RefPtr listItemElement = listItems[listIndex].get();
-    auto& itemStyle = *listItemElement->computedStyle();
+    auto itemStyle = listItemElement->computedStyle();
+    if (!itemStyle)
+        return;
 
     Color backColor;
     if (is<HTMLOptionElement>(*listItemElement) && downcast<HTMLOptionElement>(*listItemElement).selected()) {
@@ -507,10 +511,10 @@ void RenderListBox::paintItemBackground(PaintInfo& paintInfo, const LayoutPoint&
         else
             backColor = theme().inactiveListBoxSelectionBackgroundColor(styleColorOptions());
     } else
-        backColor = itemStyle.visitedDependentColorWithColorFilter(CSSPropertyBackgroundColor);
+        backColor = itemStyle->visitedDependentColorWithColorFilter(CSSPropertyBackgroundColor);
 
     // Draw the background for this list box item
-    if (itemStyle.visibility() == Visibility::Hidden)
+    if (itemStyle->visibility() == Visibility::Hidden)
         return;
 
     LayoutRect itemRect = itemBoundingBoxRect(paintOffset, listIndex);