178189 – Correct nullptr deref in selection handling

RESOLVED FIXED178189

Correct nullptr deref in selection handling

https://bugs.webkit.org/show_bug.cgi?id=178189

Summary Correct nullptr deref in selection handling

Brent Fulgham

Reported 2017-10-11 15:39:06 PDT

The 'Selection::toNormalizedRange()' returns nullptr for various conditions, specifically for a 'None' selection, but also for an "Orphaned" range. We should make sure we check that 'toNormalizedRange' returns a non-null pointer before using it.

Attachments
Patch (6.28 KB, patch) 2017-10-11 16:13 PDT, Brent Fulgham	rniwa: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Brent Fulgham

Comment 1 2017-10-11 16:12:49 PDT

<rdar://problem/33833012>

Brent Fulgham

Comment 2 2017-10-11 16:13:40 PDT

Created attachment 323480 [details] Patch

Ryosuke Niwa

Comment 3 2017-10-11 19:03:02 PDT

Comment on attachment 323480 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=323480&action=review > Source/WebCore/page/DOMSelection.cpp:397 > + auto visibleSelection = selection.selection(); > + if (visibleSelection.isNoneOrOrphaned()) > + return false; There's no reason to check this condition if we're checking null-ty of toNormalizedRange. Please remove it.

Brent Fulgham

Comment 4 2017-10-11 20:01:22 PDT

Committed r223228: <https://trac.webkit.org/changeset/223228>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component HTML Editing

Assignee

Brent Fulgham

Reported

2017-10-11 15:39 PDT

Modified

2017-10-11 20:01 PDT History

CC List

4 users Show

URL

Keywords InRadar

Depends on

Blocks