Bug 119297 - DHTML drag can result in a null-deref under WebDragClient::startDrag
Summary: DHTML drag can result in a null-deref under WebDragClient::startDrag
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Tim Horton
URL:
Keywords: InRadar
: 119027 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-07-30 18:02 PDT by Tim Horton
Modified: 2013-08-30 02:56 PDT (History)
4 users (show)

See Also:

Attachments
wrong version (3.00 KB, patch)
2013-07-30 18:07 PDT, Tim Horton 		buildbot: commit-queue-
Details | Formatted Diff | Diff
patch (5.58 KB, patch)
2013-07-30 19:26 PDT, Tim Horton 		simon.fraser: review+
Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Horton 2013-07-30 18:02:33 PDT 
WebDragClient::startDrag's convertImageToBitmap will happily call createGraphicsContext on a null ShareableBitmap.
It shouldn't do this, because the ShareableBitmap can be null for a variety of reasons.

In addition, FrameSnapshottingMac::snapshotDragImage will happily waste time "painting" a 0x0 image, which it will then return and will eventually make its way to WebDragClient::startDrag, which will try to turn it into a ShareableBitmap and assert or crash because it has no size.

<rdar://problem/14213012>
Comment 1 Tim Horton 2013-07-30 18:07:31 PDT 
Created attachment 207791 [details]
wrong version

This one should be easy to test.
Comment 2 Build Bot 2013-07-30 18:35:08 PDT 
Comment on attachment 207791 [details]
wrong version

Attachment 207791 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.appspot.com/results/1292500
Comment 3 Build Bot 2013-07-30 18:48:15 PDT 
Comment on attachment 207791 [details]
wrong version

Attachment 207791 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.appspot.com/results/1288620
Comment 4 Tim Horton 2013-07-30 19:26:42 PDT 
Created attachment 207798 [details]
patch
Comment 5 Tim Horton 2013-07-30 22:56:41 PDT 
http://trac.webkit.org/changeset/153511
Comment 6 Tim Horton 2013-08-30 02:56:50 PDT 
*** Bug 119027 has been marked as a duplicate of this bug. ***