Bug 178189

Summary: Correct nullptr deref in selection handling
Product: WebKit Reporter: Brent Fulgham <bfulgham>
Component: HTML EditingAssignee: Brent Fulgham <bfulgham>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cdumez, rniwa, wenson_hsieh
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch rniwa: review+

Description Brent Fulgham 2017-10-11 15:39:06 PDT 
The 'Selection::toNormalizedRange()' returns nullptr for various conditions, specifically for a 'None' selection, but also for an "Orphaned" range.

We should make sure we check that 'toNormalizedRange' returns a non-null pointer before using it.
Comment 1 Brent Fulgham 2017-10-11 16:12:49 PDT 
<rdar://problem/33833012>
Comment 2 Brent Fulgham 2017-10-11 16:13:40 PDT 
Created attachment 323480 [details]
Patch
Comment 3 Ryosuke Niwa 2017-10-11 19:03:02 PDT 
Comment on attachment 323480 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=323480&action=review

> Source/WebCore/page/DOMSelection.cpp:397
> +    auto visibleSelection = selection.selection();
> +    if (visibleSelection.isNoneOrOrphaned())
> +        return false;

There's no reason to check this condition if we're checking null-ty of toNormalizedRange. Please remove it.
Comment 4 Brent Fulgham 2017-10-11 20:01:22 PDT 
Committed r223228: <https://trac.webkit.org/changeset/223228>