Bug 178189 - Correct nullptr deref in selection handling
Summary: Correct nullptr deref in selection handling
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML Editing (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Brent Fulgham
Keywords: InRadar
Depends on:
Reported: 2017-10-11 15:39 PDT by Brent Fulgham
Modified: 2017-10-11 20:01 PDT (History)
4 users (show)

See Also:

Patch (6.28 KB, patch)
2017-10-11 16:13 PDT, Brent Fulgham
rniwa: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Brent Fulgham 2017-10-11 15:39:06 PDT
The 'Selection::toNormalizedRange()' returns nullptr for various conditions, specifically for a 'None' selection, but also for an "Orphaned" range.

We should make sure we check that 'toNormalizedRange' returns a non-null pointer before using it.
Comment 1 Brent Fulgham 2017-10-11 16:12:49 PDT
Comment 2 Brent Fulgham 2017-10-11 16:13:40 PDT
Created attachment 323480 [details]
Comment 3 Ryosuke Niwa 2017-10-11 19:03:02 PDT
Comment on attachment 323480 [details]

View in context: https://bugs.webkit.org/attachment.cgi?id=323480&action=review

> Source/WebCore/page/DOMSelection.cpp:397
> +    auto visibleSelection = selection.selection();
> +    if (visibleSelection.isNoneOrOrphaned())
> +        return false;

There's no reason to check this condition if we're checking null-ty of toNormalizedRange. Please remove it.
Comment 4 Brent Fulgham 2017-10-11 20:01:22 PDT
Committed r223228: <https://trac.webkit.org/changeset/223228>