LibWeb: Prevent null deref in collapsed whitespace check

The spec even warned us about the reference potentially being null.
Author: https://github.com/gmta Commit: f88c13a58c Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/2844
2025-07-15 21:41:58 +00:00 · 2024-12-08 23:10:03 +01:00 · 2024-12-08 23:10:03 +01:00 · f88c13a58c · 2024-12-10 13:55:42 +00:00
commit f88c13a58c
parent d5143db081
1 changed files with 11 additions and 7 deletions
--- a/Libraries/LibWeb/Editing/Internal/Algorithms.cpp
+++ b/Libraries/LibWeb/Editing/Internal/Algorithms.cpp
@ -873,20 +873,20 @@ bool is_collapsed_whitespace_node(GC::Ref<DOM::Node> node)
        ancestor = ancestor->parent();

    // 7. Let reference be node.
-    auto reference = node;
+    GC::Ptr<DOM::Node> reference = node;

    // 8. While reference is a descendant of ancestor:
    while (reference->is_descendant_of(*ancestor)) {
        // 1. Let reference be the node before it in tree order.
-        reference = *reference->previous_in_pre_order();
+        reference = reference->previous_in_pre_order();

        // 2. If reference is a block node or a br, return true.
-        if (is_block_node(reference) || is<HTML::HTMLBRElement>(*reference))
+        if (is_block_node(*reference) || is<HTML::HTMLBRElement>(*reference))
            return true;

        // 3. If reference is a Text node that is not a whitespace node, or is an img, break from
        //    this loop.
-        if ((is<DOM::Text>(*reference) && !is_whitespace_node(reference)) || is<HTML::HTMLImageElement>(*reference))
+        if ((is<DOM::Text>(*reference) && !is_whitespace_node(*reference)) || is<HTML::HTMLImageElement>(*reference))
            break;
    }

@ -896,15 +896,19 @@ bool is_collapsed_whitespace_node(GC::Ref<DOM::Node> node)
    // 10. While reference is a descendant of ancestor:
    while (reference->is_descendant_of(*ancestor)) {
        // 1. Let reference be the node after it in tree order, or null if there is no such node.
-        reference = *reference->next_in_pre_order();
+        reference = reference->next_in_pre_order();
+
+        // NOTE: Both steps below and the loop condition require a reference, so break if it's null.
+        if (!reference)
+            break;

        // 2. If reference is a block node or a br, return true.
-        if (is_block_node(reference) || is<HTML::HTMLBRElement>(*reference))
+        if (is_block_node(*reference) || is<HTML::HTMLBRElement>(*reference))
            return true;

        // 3. If reference is a Text node that is not a whitespace node, or is an img, break from
        //    this loop.
-        if ((is<DOM::Text>(*reference) && !is_whitespace_node(reference)) || is<HTML::HTMLImageElement>(*reference))
+        if ((is<DOM::Text>(*reference) && !is_whitespace_node(*reference)) || is<HTML::HTMLImageElement>(*reference))
            break;
    }