Bug 119297

Summary: DHTML drag can result in a null-deref under WebDragClient::startDrag
Product: WebKit Reporter: Tim Horton <thorton>
Component: Layout and RenderingAssignee: Tim Horton <thorton>
Status: RESOLVED FIXED    
Severity: Normal CC: buildbot, dtrebbien, enrica, rniwa
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
wrong version
buildbot: commit-queue-
patch simon.fraser: review+

Description Tim Horton 2013-07-30 18:02:33 PDT
WebDragClient::startDrag's convertImageToBitmap will happily call createGraphicsContext on a null ShareableBitmap.
It shouldn't do this, because the ShareableBitmap can be null for a variety of reasons.

In addition, FrameSnapshottingMac::snapshotDragImage will happily waste time "painting" a 0x0 image, which it will then return and will eventually make its way to WebDragClient::startDrag, which will try to turn it into a ShareableBitmap and assert or crash because it has no size.

<rdar://problem/14213012>
Comment 1 Tim Horton 2013-07-30 18:07:31 PDT
Created attachment 207791 [details]
wrong version

This one should be easy to test.
Comment 2 Build Bot 2013-07-30 18:35:08 PDT
Comment on attachment 207791 [details]
wrong version

Attachment 207791 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.appspot.com/results/1292500
Comment 3 Build Bot 2013-07-30 18:48:15 PDT
Comment on attachment 207791 [details]
wrong version

Attachment 207791 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.appspot.com/results/1288620
Comment 4 Tim Horton 2013-07-30 19:26:42 PDT
Created attachment 207798 [details]
patch
Comment 5 Tim Horton 2013-07-30 22:56:41 PDT
http://trac.webkit.org/changeset/153511
Comment 6 Tim Horton 2013-08-30 02:56:50 PDT
*** Bug 119027 has been marked as a duplicate of this bug. ***