From 7743dbe531cf67c333c8e5a4bfaf613f890375f8 Mon Sep 17 00:00:00 2001 From: Steve Kobes Date: Thu, 30 Nov 2023 10:43:59 -0800 Subject: [PATCH] Fix null pointer dereference in AutoscrollController. A fieldset element creates an anonymous block for its contents (see LayoutFieldset::InsertedIntoTree), which may be passed as |scrollable| to AutoscrollController::StartMiddleClickAutoscroll. It seems we don't need to access scrollable->GetNode() in the first place. We can just start the layout tree walk from scrollable itself. Bug: 1488016 Change-Id: I43da256d48f827c818636848abcd659095a94a7c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5076640 Reviewed-by: Dave Tapuska Commit-Queue: Steve Kobes Cr-Commit-Position: refs/heads/main@{#1231408} --- .../crashtests/fieldset-middleclick.html | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 html/rendering/non-replaced-elements/the-fieldset-and-legend-elements/crashtests/fieldset-middleclick.html diff --git a/html/rendering/non-replaced-elements/the-fieldset-and-legend-elements/crashtests/fieldset-middleclick.html b/html/rendering/non-replaced-elements/the-fieldset-and-legend-elements/crashtests/fieldset-middleclick.html new file mode 100644 index 00000000000000..39acf9eca17597 --- /dev/null +++ b/html/rendering/non-replaced-elements/the-fieldset-and-legend-elements/crashtests/fieldset-middleclick.html @@ -0,0 +1,37 @@ + + + + + + + + + +
+

test

+

test

+

test

+

test

+

test

+

test

+
+ + +