Bug 178189

Summary:

Correct nullptr deref in selection handling

Product:

WebKit

Reporter:

Brent Fulgham <bfulgham>

Component:

HTML Editing

Assignee:

Brent Fulgham <bfulgham>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bfulgham, cdumez, rniwa, wenson_hsieh

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	rniwa: review+

Brent Fulgham

Reported 2017-10-11 15:39:06 PDT

The 'Selection::toNormalizedRange()' returns nullptr for various conditions, specifically for a 'None' selection, but also for an "Orphaned" range. We should make sure we check that 'toNormalizedRange' returns a non-null pointer before using it.

Attachments
Patch (6.28 KB, patch) 2017-10-11 16:13 PDT, Brent Fulgham	rniwa: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Brent Fulgham

Comment 1 2017-10-11 16:12:49 PDT

<rdar://problem/33833012>

Brent Fulgham

Comment 2 2017-10-11 16:13:40 PDT

Created attachment 323480 [details] Patch

Ryosuke Niwa

Comment 3 2017-10-11 19:03:02 PDT

Comment on attachment 323480 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=323480&action=review > Source/WebCore/page/DOMSelection.cpp:397 > + auto visibleSelection = selection.selection(); > + if (visibleSelection.isNoneOrOrphaned()) > + return false; There's no reason to check this condition if we're checking null-ty of toNormalizedRange. Please remove it.

Brent Fulgham

Comment 4 2017-10-11 20:01:22 PDT

Committed r223228: <https://trac.webkit.org/changeset/223228>

Note You need to log in before you can comment on or make changes to this bug.