Changeset 209951 in webkit


Ignore:
Timestamp:
Dec 16, 2016 4:48:31 PM (7 years ago)
Author:
Alan Bujtas
Message:

Possible nullptr dereference when applying pagination to viewport
https://bugs.webkit.org/show_bug.cgi?id=165926

Reviewed by Simon Fraser.

Static analysis found a code path where a null dereference could occur.

  • page/FrameView.cpp:

(WebCore::FrameView::applyPaginationToViewport):

Location:
trunk/Source/WebCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r209948 r209951  
     12016-12-16  Zalan Bujtas  <zalan@apple.com>
     2
     3        Possible nullptr dereference when applying pagination to viewport
     4        https://bugs.webkit.org/show_bug.cgi?id=165926
     5
     6        Reviewed by Simon Fraser.
     7
     8        Static analysis found a code path where a null dereference could occur.
     9       
     10        * page/FrameView.cpp:
     11        (WebCore::FrameView::applyPaginationToViewport):
     12
    1132016-12-16  Ryan Haddad  <ryanhaddad@apple.com>
    214

  • trunk/Source/WebCore/page/FrameView.cpp

    r209931 r209951  
    748748void FrameView::applyPaginationToViewport()
    749749{
    750     Document* document = frame().document();
    751     auto* documentElement = document->documentElement();
    752     RenderElement* documentRenderer = documentElement ? documentElement->renderer() : nullptr;
    753     RenderElement* documentOrBodyRenderer = documentRenderer;
     750    auto* document = frame().document();
     751    auto* documentElement = document ? document->documentElement() : nullptr;
     752    if (!documentElement || !documentElement->renderer()) {
     753        setPagination(Pagination());
     754        return;
     755    }
     756
     757    auto& documentRenderer = *documentElement->renderer();
     758    auto* documentOrBodyRenderer = &documentRenderer;
     759
    754760    auto* body = document->body();
    755     if (body && body->renderer())
    756         documentOrBodyRenderer = documentRenderer->style().overflowX() == OVISIBLE && is<HTMLHtmlElement>(*documentElement) ? body->renderer() : documentRenderer;
     761    if (body && body->renderer()) {
     762        documentOrBodyRenderer = documentRenderer.style().overflowX() == OVISIBLE && is<HTMLHtmlElement>(*documentElement) ?
     763            body->renderer() : &documentRenderer;
     764    }
    757765
    758766    Pagination pagination;
    759 
    760     if (!documentOrBodyRenderer) {
    761         setPagination(pagination);
    762         return;
    763     }
    764 
    765767    EOverflow overflowY = documentOrBodyRenderer->style().overflowY();
    766768    if (overflowY == OPAGEDX || overflowY == OPAGEDY) {
     
    768770        pagination.gap = static_cast<unsigned>(documentOrBodyRenderer->style().columnGap());
    769771    }
    770 
    771772    setPagination(pagination);
    772773}
Note: See TracChangeset for help on using the changeset viewer.