Bug 139506

Summary:

Null dereference performing a "TapAndAHalf" gesture in Google search field

Product:

WebKit

Reporter:

Jon Honeycutt <jhoneycutt>

Component:

WebKit2

Assignee:

Jon Honeycutt <jhoneycutt>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

enrica, simon.fraser

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

URL:

http://google.com

Attachments:

Description	Flags
Patch	darin: review+

Description Jon Honeycutt 2014-12-10 14:13:43 PST

A null dereference can occur when performing a "TapAndAHalf" gesture in the Google search field.

Repro test case:

data:text/html,<input%20size="40"%20%20placeholder="Perform%20a%20tap%20and%20a%20half%20gesture%20in%20this%20field">

<rdar://problem/19028828>

Comment 1 Jon Honeycutt 2014-12-10 14:26:22 PST

Created attachment 243066 [details]
Patch

Comment 2 Darin Adler 2014-12-10 16:56:28 PST

Comment on attachment 243066 [details]
Patch

This change seems OK, but just a few lines later I see code that calls Range::create and dereferences the result unconditionally. I think we should consistently handle null in both places in this function instead of just in this one place.

Comment 3 Jon Honeycutt 2014-12-10 17:05:05 PST

(In reply to comment #2)
> Comment on attachment 243066 [details]
> Patch
> 
> This change seems OK, but just a few lines later I see code that calls
> Range::create and dereferences the result unconditionally. I think we should
> consistently handle null in both places in this function instead of just in
> this one place.

This adds a null check for the result of wordRangeFromPosition before calling Range::create. Range::create doesn't return null.

Thanks for the review!

Comment 4 Jon Honeycutt 2014-12-10 17:09:24 PST

Committed r177115: <http://trac.webkit.org/changeset/177115>