178189 – Correct nullptr deref in selection handling

Bug 178189 - Correct nullptr deref in selection handling

Summary: Correct nullptr deref in selection handling

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	HTML Editing (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Brent Fulgham

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2017-10-11 15:39 PDT by Brent Fulgham
Modified:	2017-10-11 20:01 PDT (History)
CC List:	4 users (show)

See Also:

Attachments
Patch (6.28 KB, patch) 2017-10-11 16:13 PDT, Brent Fulgham	rniwa: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Brent Fulgham 2017-10-11 15:39:06 PDT

The 'Selection::toNormalizedRange()' returns nullptr for various conditions, specifically for a 'None' selection, but also for an "Orphaned" range.

We should make sure we check that 'toNormalizedRange' returns a non-null pointer before using it.

Comment 1 Brent Fulgham 2017-10-11 16:12:49 PDT

<rdar://problem/33833012>

Comment 2 Brent Fulgham 2017-10-11 16:13:40 PDT

Created attachment 323480 [details]
Patch

Comment 3 Ryosuke Niwa 2017-10-11 19:03:02 PDT

Comment on attachment 323480 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=323480&action=review

> Source/WebCore/page/DOMSelection.cpp:397
> +    auto visibleSelection = selection.selection();
> +    if (visibleSelection.isNoneOrOrphaned())
> +        return false;

There's no reason to check this condition if we're checking null-ty of toNormalizedRange. Please remove it.

Comment 4 Brent Fulgham 2017-10-11 20:01:22 PDT

Committed r223228: <https://trac.webkit.org/changeset/223228>