Bug 171925

Summary: REGRESSION (r206960): Possible null pointer dereference under DOMSelection::getRangeAt()
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: HTML EditingAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: darin, rniwa, webkit-bug-importer, wenson_hsieh
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 163016    
Attachments:
Description Flags
Patch wenson_hsieh: review+

Chris Dumez
Reported 2017-05-10 09:06:23 PDT
Possible null pointer dereference under DOMSelection::getRangeAt() after r206960.
Attachments
Patch (1.92 KB, patch)
2017-05-10 09:10 PDT, Chris Dumez 		wenson_hsieh: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2017-05-10 09:06:45 PDT
<rdar://problem/29931223>
Chris Dumez
Comment 2 2017-05-10 09:10:18 PDT
Created attachment 309613 [details] Patch
Chris Dumez
Comment 3 2017-05-10 10:02:25 PDT
Comment on attachment 309613 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=309613&action=review > Source/WebCore/ChangeLog:14 > + if isNoneOrOrphaned(). Note that another proposal would be to update DOMSelection::rangeCount() to check isNoneOrOrphaned() instead of isNone() because there is currently a mismatch between rangeCount() (which checks isNone()) and firstRange() which returns null if isNoneOrOrphaned(). However, this seemed like a largest impact change and I am not familiar enough with this code to guarantee this is safe.
Ryosuke Niwa
Comment 4 2017-05-10 12:11:47 PDT
Comment on attachment 309613 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=309613&action=review > Source/WebCore/page/DOMSelection.cpp:309 > + if (!firstRange) > + return Exception { INDEX_SIZE_ERR }; Could you add an assertion that firstRange is not null. Because if this is happening, then there's a bug elsewhere in the editing bug.
Chris Dumez
Comment 5 2017-05-10 12:52:26 PDT
Committed r216607: <http://trac.webkit.org/changeset/216607>
Note You need to log in before you can comment on or make changes to this bug.