Changeset 150498 in webkit
- Timestamp:
- May 21, 2013 7:36:37 PM (11 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r150497 r150498 1 2013-05-21 Ryosuke Niwa <rniwa@webkit.org> 2 3 Use-after-free in DOMSelection::containsNode 4 https://bugs.webkit.org/show_bug.cgi?id=116468 5 6 Reviewed by Andreas Kling. 7 8 Add a regression test from https://chromium.googlesource.com/chromium/blink/+/40bb8089352b15dd034641b4c131111cd79b44f1. 9 10 * editing/selection/contains-node-crash-expected.txt: Added. 11 * editing/selection/contains-node-crash.html: Added. 12 1 13 2013-05-21 Gyuyoung Kim <gyuyoung.kim@samsung.com> 2 14 -
trunk/Source/WebCore/ChangeLog
r150496 r150498 1 2013-05-21 Ryosuke Niwa <rniwa@webkit.org> 2 3 Use-after-free in DOMSelection::containsNode 4 https://bugs.webkit.org/show_bug.cgi?id=116468 5 6 Reviewed by Andreas Kling. 7 8 Retain the node pointer. Also bail out early if the node was not in the document 9 since Range::compareBoundaryPoints sets ec to WRONG_DOCUMENT_ERR otherwise. 10 11 Test: editing/selection/contains-node-crash.html 12 13 * page/DOMSelection.cpp: 14 (WebCore::DOMSelection::containsNode): 15 * page/DOMSelection.h: 16 (DOMSelection): 17 1 18 2013-05-21 Joseph Pecoraro <pecoraro@apple.com> 2 19 -
trunk/Source/WebCore/page/DOMSelection.cpp
r142375 r150498 444 444 } 445 445 446 bool DOMSelection::containsNode( constNode* n, bool allowPartial) const446 bool DOMSelection::containsNode(Node* n, bool allowPartial) const 447 447 { 448 448 if (!m_frame) … … 454 454 return false; 455 455 456 ContainerNode* parentNode = n->parentNode(); 457 unsigned nodeIndex = n->nodeIndex(); 456 RefPtr<Node> node = n; 458 457 RefPtr<Range> selectedRange = selection->selection().toNormalizedRange(); 459 458 460 if (!parentNode) 459 ContainerNode* parentNode = node->parentNode(); 460 if (!parentNode || !parentNode->inDocument()) 461 461 return false; 462 unsigned nodeIndex = node->nodeIndex(); 462 463 463 464 ExceptionCode ec = 0; … … 474 475 return false; 475 476 476 return allowPartial || n ->isTextNode();477 return allowPartial || node->isTextNode(); 477 478 } 478 479 -
trunk/Source/WebCore/page/DOMSelection.h
r117249 r150498 85 85 void addRange(Range*); 86 86 void deleteFromDocument(); 87 bool containsNode( constNode*, bool partlyContained) const;87 bool containsNode(Node*, bool partlyContained) const; 88 88 void selectAllChildren(Node*, ExceptionCode&); 89 89
Note: See TracChangeset
for help on using the changeset viewer.