Changeset 219385 in webkit
- Timestamp:
- Jul 12, 2017 12:02:25 AM (7 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r219384 r219385 1 2017-07-12 Carlos Garcia Campos <cgarcia@igalia.com> 2 3 [GTK] Crashes in WebCore::PasteboardHelper::fillSelectionData when source file of drag is unavailable 4 https://bugs.webkit.org/show_bug.cgi?id=174161 5 6 Reviewed by Michael Catanzaro. 7 8 It seems selection data could contain an empty string, in which case gtk_selection_data_get_data() returns a 9 valid pointer, but gtk_selection_data_get_length() returns 0. When this happens we end up trying to split an 10 empty string resulting in an empty vector, but we unconditionally access the first element of the vector. 11 12 * platform/gtk/PasteboardHelper.cpp: 13 (WebCore::selectionDataToUTF8String): Return a null string in case selection data length is 0. 14 (WebCore::PasteboardHelper::fillSelectionData): Return early if selection data length is 0, instead of checking 15 the selection data pointer. 16 1 17 2017-07-11 Carlos Garcia Campos <cgarcia@igalia.com> 2 18 -
trunk/Source/WebCore/platform/gtk/PasteboardHelper.cpp
r218615 r219385 86 86 static String selectionDataToUTF8String(GtkSelectionData* data) 87 87 { 88 if (!gtk_selection_data_get_length(data)) 89 return String(); 90 88 91 // g_strndup guards against selection data that is not null-terminated. 89 92 GUniquePtr<gchar> markupString(g_strndup(reinterpret_cast<const char*>(gtk_selection_data_get_data(data)), gtk_selection_data_get_length(data))); … … 207 210 void PasteboardHelper::fillSelectionData(GtkSelectionData* data, unsigned /* info */, SelectionData& selection) 208 211 { 209 if (!gtk_selection_data_get_ data(data))212 if (!gtk_selection_data_get_length(data)) 210 213 return; 211 214
Note: See TracChangeset
for help on using the changeset viewer.