Changeset 150498 in webkit


Ignore:
Timestamp:
May 21, 2013 7:36:37 PM (11 years ago)
Author:
rniwa@webkit.org
Message:

Use-after-free in DOMSelection::containsNode
https://bugs.webkit.org/show_bug.cgi?id=116468

Reviewed by Andreas Kling.

Source/WebCore:

Retain the node pointer. Also bail out early if the node was not in the document
since Range::compareBoundaryPoints sets ec to WRONG_DOCUMENT_ERR otherwise.

Test: editing/selection/contains-node-crash.html

  • page/DOMSelection.cpp:

(WebCore::DOMSelection::containsNode):

  • page/DOMSelection.h:

(DOMSelection):

LayoutTests:

Add a regression test from https://chromium.googlesource.com/chromium/blink/+/40bb8089352b15dd034641b4c131111cd79b44f1.

  • editing/selection/contains-node-crash-expected.txt: Added.
  • editing/selection/contains-node-crash.html: Added.
Location:
trunk
Files:
2 added
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r150497 r150498  
     12013-05-21  Ryosuke Niwa  <rniwa@webkit.org>
     2
     3        Use-after-free in DOMSelection::containsNode
     4        https://bugs.webkit.org/show_bug.cgi?id=116468
     5
     6        Reviewed by Andreas Kling.
     7
     8        Add a regression test from https://chromium.googlesource.com/chromium/blink/+/40bb8089352b15dd034641b4c131111cd79b44f1.
     9
     10        * editing/selection/contains-node-crash-expected.txt: Added.
     11        * editing/selection/contains-node-crash.html: Added.
     12
    1132013-05-21  Gyuyoung Kim  <gyuyoung.kim@samsung.com>
    214
  • trunk/Source/WebCore/ChangeLog

    r150496 r150498  
     12013-05-21  Ryosuke Niwa  <rniwa@webkit.org>
     2
     3        Use-after-free in DOMSelection::containsNode
     4        https://bugs.webkit.org/show_bug.cgi?id=116468
     5
     6        Reviewed by Andreas Kling.
     7
     8        Retain the node pointer. Also bail out early if the node was not in the document
     9        since Range::compareBoundaryPoints sets ec to WRONG_DOCUMENT_ERR otherwise.
     10
     11        Test: editing/selection/contains-node-crash.html
     12
     13        * page/DOMSelection.cpp:
     14        (WebCore::DOMSelection::containsNode):
     15        * page/DOMSelection.h:
     16        (DOMSelection):
     17
    1182013-05-21  Joseph Pecoraro  <pecoraro@apple.com>
    219
  • trunk/Source/WebCore/page/DOMSelection.cpp

    r142375 r150498  
    444444}
    445445
    446 bool DOMSelection::containsNode(const Node* n, bool allowPartial) const
     446bool DOMSelection::containsNode(Node* n, bool allowPartial) const
    447447{
    448448    if (!m_frame)
     
    454454        return false;
    455455
    456     ContainerNode* parentNode = n->parentNode();
    457     unsigned nodeIndex = n->nodeIndex();
     456    RefPtr<Node> node = n;
    458457    RefPtr<Range> selectedRange = selection->selection().toNormalizedRange();
    459458
    460     if (!parentNode)
     459    ContainerNode* parentNode = node->parentNode();
     460    if (!parentNode || !parentNode->inDocument())
    461461        return false;
     462    unsigned nodeIndex = node->nodeIndex();
    462463
    463464    ExceptionCode ec = 0;
     
    474475        return false;
    475476
    476     return allowPartial || n->isTextNode();
     477    return allowPartial || node->isTextNode();
    477478}
    478479
  • trunk/Source/WebCore/page/DOMSelection.h

    r117249 r150498  
    8585        void addRange(Range*);
    8686        void deleteFromDocument();
    87         bool containsNode(const Node*, bool partlyContained) const;
     87        bool containsNode(Node*, bool partlyContained) const;
    8888        void selectAllChildren(Node*, ExceptionCode&);
    8989
Note: See TracChangeset for help on using the changeset viewer.