Changeset 247734 in webkit

Timestamp:

Jul 23, 2019, 12:50:17 PM (6 years ago)

Author:

Simon Fraser

Message:

Fix crashes in ScrollingStateNode::insertChild()
​https://bugs.webkit.org/show_bug.cgi?id=200023
rdar://problem/53265378

Reviewed by Darin Adler.

Crash data suggest that ScrollingStateNode::insertChild() can be passed an index that
is larger than the size of the vector, causing crashes.

Fix defensively by falling back to append() if the passed index is equal to or larger
than the size of the children vector.

• page/scrolling/ScrollingStateNode.cpp:

(WebCore::ScrollingStateNode::insertChild):

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• page/scrolling/ScrollingStateNode.cpp (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ -229 +229 @@
 
         * Scripts/SettingsTemplates/Settings.cpp.erb:
+
+2019-07-22  Simon Fraser  <simon.fraser@apple.com>
+
+        Fix crashes in ScrollingStateNode::insertChild()
+        https://bugs.webkit.org/show_bug.cgi?id=200023
+        rdar://problem/53265378
+
+        Reviewed by Darin Adler.
+
+        Crash data suggest that ScrollingStateNode::insertChild() can be passed an index that
+        is larger than the size of the vector, causing crashes.
+
+        Fix defensively by falling back to append() if the passed index is equal to or larger
+        than the size of the children vector.
+
+        * page/scrolling/ScrollingStateNode.cpp:
+        (WebCore::ScrollingStateNode::insertChild):
 
 2019-07-22  Simon Fraser  <simon.fraser@apple.com>

trunk/Source/WebCore/page/scrolling/ScrollingStateNode.cpp

@@ -117 +117 @@
     }
 
-    m_children->insert(index, WTFMove(childNode));
+    if (index > m_children->size()) {
+        ASSERT_NOT_REACHED();  // Crash data suggest we can get here.
+        m_children->append(WTFMove(childNode));
+    } else
+        m_children->insert(index, WTFMove(childNode));
+    
     setPropertyChanged(ChildNodes);
 }