Changeset 32531 in webkit

Timestamp:

Apr 24, 2008 7:04:15 PM (16 years ago)

Author:

justin.garcia@apple.com

Message:

2008-04-24 Justin Garcia <​justin.garcia@apple.com>

Reviewed by John Sullivan.

It is possible, despite our safeguards, for createMarkup to iterate past the end of the Range
that is passed to it. Added a null check to prevent crashes in this situation (we won't crash but
we will create too much markup), and added an ASSERT to hopefully catch the scenario in a debugger
and help us understand what's going on.

• editing/markup.cpp: (WebCore::createMarkup):

Location:

trunk/WebCore

Files:

• ChangeLog (modified) (1 diff)
• editing/markup.cpp (modified) (1 diff)

trunk/WebCore/ChangeLog

@@ +1 @@
+2008-04-24  Justin Garcia  <justin.garcia@apple.com>
+
+        Reviewed by John Sullivan.
+        
+        It is possible, despite our safeguards, for createMarkup to iterate past the end of the Range
+        that is passed to it.  Added a null check to prevent crashes in this situation (we won't crash but
+        we will create too much markup), and added an ASSERT to hopefully catch the scenario in a debugger 
+        and help us understand what's going on.
+
+        * editing/markup.cpp:
+        (WebCore::createMarkup):
+
 2008-04-24  Mark Rowe  <mrowe@apple.com>
 

trunk/WebCore/editing/markup.cpp

@@ -710 +710 @@
     Node* next;
     for (Node* n = startNode; n != pastEnd; n = next) {
+    
+        // According to <rdar://problem/5730668>, it is possible for n to blow past pastEnd and become null here.  This 
+        // shouldn't be possible.  This null check will prevent crashes (but create too much markup) and the ASSERT will 
+        // hopefully lead us to understanding the problem.
+        ASSERT(n);
+        if (!n)
+            break;
+    
         next = n->traverseNextNode();
         bool skipDescendants = false;