Changeset 65587 in webkit

Timestamp:

Aug 18, 2010 12:37:56 AM (14 years ago)

Author:

abarth@webkit.org

Message:

2010-08-18 Adam Barth <​abarth@webkit.org>

Reviewed by Adele Peterson.

Null dereference in DOMSelection::deleteFromDocument
​https://bugs.webkit.org/show_bug.cgi?id=44153

deleteFromDocument checks selection->isNone() before calling
selection->selection().toNormalizedRange(), but toNormalizedRange()
notes that it needs to updateLayout(), which can make the selection
isNone() again. In that case, we crash on a NULL pointer in
deleteFromDocument. I don't know how to trigger that situation in a
test, but cross_fuzz was able to hit it, so we should fix it.

• page/DOMSelection.cpp: (WebCore::DOMSelection::deleteFromDocument):

Location:

trunk/WebCore

Files:

• ChangeLog (modified) (1 diff)
• page/DOMSelection.cpp (modified) (1 diff)

trunk/WebCore/ChangeLog

@@ +1 @@
+2010-08-18  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Adele Peterson.
+
+        Null dereference in DOMSelection::deleteFromDocument
+        https://bugs.webkit.org/show_bug.cgi?id=44153
+
+        deleteFromDocument checks selection->isNone() before calling
+        selection->selection().toNormalizedRange(), but toNormalizedRange()
+        notes that it needs to updateLayout(), which can make the selection
+        isNone() again.  In that case, we crash on a NULL pointer in
+        deleteFromDocument.  I don't know how to trigger that situation in a
+        test, but cross_fuzz was able to hit it, so we should fix it.
+
+        * page/DOMSelection.cpp:
+        (WebCore::DOMSelection::deleteFromDocument):
+
 2010-08-17  Girish Ramakrishnan  <girish@forwardbias.in>
 

trunk/WebCore/page/DOMSelection.cpp

@@ -428 +428 @@
 
     RefPtr<Range> selectedRange = selection->selection().toNormalizedRange();
+    if (!selectedRange)
+        return;
 
     ExceptionCode ec = 0;