Skip to site navigation (Press enter)

[webkit-changes] [204941] trunk/Source

commit-queue Wed, 24 Aug 2016 16:27:06 -0700

Title: [204941] trunk/Source

Revision: 204941
Author: [email protected]
Date: 2016-08-24 16:26:20 -0700 (Wed, 24 Aug 2016)

Log Message

FocusController multiple dereferenced NULL pointers
https://bugs.webkit.org/show_bug.cgi?id=160808


Patch by Jonathan Bedard <[email protected]> on 2016-08-24
Reviewed by Darin Adler.

Source/WebCore:

No new tests needed, fix does not change functionality.

This change fixes a number of NULL pointer dereferences which occur in FocusController.

* page/FocusController.cpp:
(WebCore::isFocusableElementOrScopeOwner): Changed KeyboardEvent reference to pointer.
(WebCore::isNonFocusableScopeOwner): Ditto.
(WebCore::isFocusableScopeOwner): Ditto.
(WebCore::shadowAdjustedTabIndex): Ditto.

(WebCore::FocusController::findFocusableElementAcrossFocusScope): Pass pointer instead of reference to KeyboardEvent.
(WebCore::FocusController::nextFocusableElementWithinScope): Ditto.
(WebCore::FocusController::previousFocusableElementWithinScope): Ditto.
(WebCore::FocusController::findElementWithExactTabIndex): Ditto.
(WebCore::nextElementWithGreaterTabIndex): Ditto.
(WebCore::previousElementWithLowerTabIndex): Ditto.
(WebCore::FocusController::nextFocusableElementOrScopeOwner): Ditto.
(WebCore::FocusController::previousFocusableElementOrScopeOwner): Ditto.
(WebCore::relinquishesEditingFocus): Ditto.

Source/WebKit2:

* WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::setInitialFocus): Should use nullptr, not 0 to initialize NULL pointer.

Modified Paths

trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/page/FocusController.cpp
trunk/Source/WebKit2/ChangeLog
trunk/Source/WebKit2/WebProcess/WebPage/WebPage.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (204940 => 204941)


--- trunk/Source/WebCore/ChangeLog	2016-08-24 23:21:14 UTC (rev 204940)
+++ trunk/Source/WebCore/ChangeLog	2016-08-24 23:26:20 UTC (rev 204941)
@@ -1,3 +1,30 @@
+2016-08-24  Jonathan Bedard  <[email protected]>
+
+        FocusController multiple dereferenced NULL pointers
+        https://bugs.webkit.org/show_bug.cgi?id=160808
+
+        Reviewed by Darin Adler.
+
+        No new tests needed, fix does not change functionality.
+
+        This change fixes a number of NULL pointer dereferences which occur in FocusController.
+
+        * page/FocusController.cpp:
+        (WebCore::isFocusableElementOrScopeOwner): Changed KeyboardEvent reference to pointer.
+        (WebCore::isNonFocusableScopeOwner): Ditto.
+        (WebCore::isFocusableScopeOwner): Ditto.
+        (WebCore::shadowAdjustedTabIndex): Ditto.
+
+        (WebCore::FocusController::findFocusableElementAcrossFocusScope): Pass pointer instead of reference to KeyboardEvent.
+        (WebCore::FocusController::nextFocusableElementWithinScope): Ditto.
+        (WebCore::FocusController::previousFocusableElementWithinScope): Ditto.
+        (WebCore::FocusController::findElementWithExactTabIndex): Ditto.
+        (WebCore::nextElementWithGreaterTabIndex): Ditto.
+        (WebCore::previousElementWithLowerTabIndex): Ditto.
+        (WebCore::FocusController::nextFocusableElementOrScopeOwner): Ditto.
+        (WebCore::FocusController::previousFocusableElementOrScopeOwner): Ditto.
+        (WebCore::relinquishesEditingFocus): Ditto.
+
 2016-08-24  Nan Wang  <[email protected]>
 
         AX: VoiceOver on iOS ignores aria-checked on menuitemradio and menuitemcheckbox

Modified: trunk/Source/WebCore/page/FocusController.cpp (204940 => 204941)


--- trunk/Source/WebCore/page/FocusController.cpp	2016-08-24 23:21:14 UTC (rev 204940)
+++ trunk/Source/WebCore/page/FocusController.cpp	2016-08-24 23:26:20 UTC (rev 204941)
@@ -289,22 +289,22 @@
         document->focusedElement()->dispatchFocusEvent(nullptr, FocusDirectionNone);
 }
 
-static inline bool isFocusableElementOrScopeOwner(Element& element, KeyboardEvent& event)
+static inline bool isFocusableElementOrScopeOwner(Element& element, KeyboardEvent* event)
 {
-    return element.isKeyboardFocusable(&event) || isFocusScopeOwner(element);
+    return element.isKeyboardFocusable(event) || isFocusScopeOwner(element);
 }
 
-static inline bool isNonFocusableScopeOwner(Element& element, KeyboardEvent& event)
+static inline bool isNonFocusableScopeOwner(Element& element, KeyboardEvent* event)
 {
-    return !element.isKeyboardFocusable(&event) && isFocusScopeOwner(element);
+    return !element.isKeyboardFocusable(event) && isFocusScopeOwner(element);
 }
 
-static inline bool isFocusableScopeOwner(Element& element, KeyboardEvent& event)
+static inline bool isFocusableScopeOwner(Element& element, KeyboardEvent* event)
 {
-    return element.isKeyboardFocusable(&event) && isFocusScopeOwner(element);
+    return element.isKeyboardFocusable(event) && isFocusScopeOwner(element);
 }
 
-static inline int shadowAdjustedTabIndex(Element& element, KeyboardEvent& event)
+static inline int shadowAdjustedTabIndex(Element& element, KeyboardEvent* event)
 {
     if (isNonFocusableScopeOwner(element, event)) {
         if (!element.tabIndexSetExplicitly())
@@ -504,9 +504,9 @@
 
 Element* FocusController::findFocusableElementAcrossFocusScope(FocusDirection direction, const FocusNavigationScope& scope, Node* currentNode, KeyboardEvent* event)
 {
-    ASSERT(!is<Element>(currentNode) || !isNonFocusableScopeOwner(downcast<Element>(*currentNode), *event));
+    ASSERT(!is<Element>(currentNode) || !isNonFocusableScopeOwner(downcast<Element>(*currentNode), event));
 
-    if (currentNode && direction == FocusDirectionForward && is<Element>(currentNode) && isFocusableScopeOwner(downcast<Element>(*currentNode), *event)) {
+    if (currentNode && direction == FocusDirectionForward && is<Element>(currentNode) && isFocusableScopeOwner(downcast<Element>(*currentNode), event)) {
         if (Element* candidateInInnerScope = findFocusableElementWithinScope(direction, FocusNavigationScope::scopeOwnedByScopeOwner(downcast<Element>(*currentNode)), 0, event))
             return candidateInInnerScope;
     }
@@ -517,7 +517,7 @@
     // If there's no focusable node to advance to, move up the focus scopes until we find one.
     Element* owner = scope.owner();
     while (owner) {
-        if (direction == FocusDirectionBackward && isFocusableScopeOwner(*owner, *event))
+        if (direction == FocusDirectionBackward && isFocusableScopeOwner(*owner, event))
             return findFocusableElementDescendingDownIntoFrameDocument(direction, owner, event);
 
         auto outerScope = FocusNavigationScope::scopeOf(*owner);
@@ -542,7 +542,7 @@
     Element* found = nextFocusableElementOrScopeOwner(scope, start, event);
     if (!found)
         return nullptr;
-    if (isNonFocusableScopeOwner(*found, *event)) {
+    if (isNonFocusableScopeOwner(*found, event)) {
         if (Element* foundInInnerFocusScope = nextFocusableElementWithinScope(FocusNavigationScope::scopeOwnedByScopeOwner(*found), 0, event))
             return foundInInnerFocusScope;
         return nextFocusableElementWithinScope(scope, found, event);
@@ -555,13 +555,13 @@
     Element* found = previousFocusableElementOrScopeOwner(scope, start, event);
     if (!found)
         return nullptr;
-    if (isFocusableScopeOwner(*found, *event)) {
+    if (isFocusableScopeOwner(*found, event)) {
         // Search an inner focusable element in the shadow tree from the end.
         if (Element* foundInInnerFocusScope = previousFocusableElementWithinScope(FocusNavigationScope::scopeOwnedByScopeOwner(*found), 0, event))
             return foundInInnerFocusScope;
         return found;
     }
-    if (isNonFocusableScopeOwner(*found, *event)) {
+    if (isNonFocusableScopeOwner(*found, event)) {
         if (Element* foundInInnerFocusScope = previousFocusableElementWithinScope(FocusNavigationScope::scopeOwnedByScopeOwner(*found), 0, event))
             return foundInInnerFocusScope;
         return previousFocusableElementWithinScope(scope, found, event);
@@ -583,13 +583,13 @@
         if (!is<Element>(*node))
             continue;
         Element& element = downcast<Element>(*node);
-        if (isFocusableElementOrScopeOwner(element, *event) && shadowAdjustedTabIndex(element, *event) == tabIndex)
+        if (isFocusableElementOrScopeOwner(element, event) && shadowAdjustedTabIndex(element, event) == tabIndex)
             return &element;
     }
     return nullptr;
 }
 
-static Element* nextElementWithGreaterTabIndex(const FocusNavigationScope& scope, int tabIndex, KeyboardEvent& event)
+static Element* nextElementWithGreaterTabIndex(const FocusNavigationScope& scope, int tabIndex, KeyboardEvent* event)
 {
     // Search is inclusive of start
     int winningTabIndex = std::numeric_limits<int>::max();
@@ -608,7 +608,7 @@
     return winner;
 }
 
-static Element* previousElementWithLowerTabIndex(const FocusNavigationScope& scope, Node* start, int tabIndex, KeyboardEvent& event)
+static Element* previousElementWithLowerTabIndex(const FocusNavigationScope& scope, Node* start, int tabIndex, KeyboardEvent* event)
 {
     // Search is inclusive of start
     int winningTabIndex = 0;
@@ -644,7 +644,7 @@
 {
     int startTabIndex = 0;
     if (start && is<Element>(*start))
-        startTabIndex = shadowAdjustedTabIndex(downcast<Element>(*start), *event);
+        startTabIndex = shadowAdjustedTabIndex(downcast<Element>(*start), event);
 
     if (start) {
         // If a node is excluded from the normal tabbing cycle, the next focusable node is determined by tree order
@@ -653,7 +653,7 @@
                 if (!is<Element>(*node))
                     continue;
                 Element& element = downcast<Element>(*node);
-                if (isFocusableElementOrScopeOwner(element, *event) && shadowAdjustedTabIndex(element, *event) >= 0)
+                if (isFocusableElementOrScopeOwner(element, event) && shadowAdjustedTabIndex(element, event) >= 0)
                     return &element;
             }
         }
@@ -669,7 +669,7 @@
     // Look for the first Element in the scope that:
     // 1) has the lowest tabindex that is higher than start's tabindex (or 0, if start is null), and
     // 2) comes first in the scope, if there's a tie.
-    if (Element* winner = nextElementWithGreaterTabIndex(scope, startTabIndex, *event))
+    if (Element* winner = nextElementWithGreaterTabIndex(scope, startTabIndex, event))
         return winner;
 
     // There are no nodes with a tabindex greater than start's tabindex,
@@ -691,7 +691,7 @@
     if (start) {
         startingNode = scope.previousInScope(start);
         if (is<Element>(*start))
-            startingTabIndex = shadowAdjustedTabIndex(downcast<Element>(*start), *event);
+            startingTabIndex = shadowAdjustedTabIndex(downcast<Element>(*start), event);
     } else
         startingNode = last;
 
@@ -701,7 +701,7 @@
             if (!is<Element>(*node))
                 continue;
             Element& element = downcast<Element>(*node);
-            if (isFocusableElementOrScopeOwner(element, *event) && shadowAdjustedTabIndex(element, *event) >= 0)
+            if (isFocusableElementOrScopeOwner(element, event) && shadowAdjustedTabIndex(element, event) >= 0)
                 return &element;
         }
     }
@@ -713,7 +713,7 @@
     // 1) has the highest non-zero tabindex (that is less than start's tabindex), and
     // 2) comes last in the scope, if there's a tie.
     startingTabIndex = (start && startingTabIndex) ? startingTabIndex : std::numeric_limits<int>::max();
-    return previousElementWithLowerTabIndex(scope, last, startingTabIndex, *event);
+    return previousElementWithLowerTabIndex(scope, last, startingTabIndex, event);
 }
 
 static bool relinquishesEditingFocus(Node *node)

Modified: trunk/Source/WebKit2/ChangeLog (204940 => 204941)


--- trunk/Source/WebKit2/ChangeLog	2016-08-24 23:21:14 UTC (rev 204940)
+++ trunk/Source/WebKit2/ChangeLog	2016-08-24 23:26:20 UTC (rev 204941)
@@ -1,3 +1,13 @@
+2016-08-24  Jonathan Bedard  <[email protected]>
+
+        FocusController multiple dereferenced NULL pointers
+        https://bugs.webkit.org/show_bug.cgi?id=160808
+
+        Reviewed by Darin Adler.
+
+        * WebProcess/WebPage/WebPage.cpp:
+        (WebKit::WebPage::setInitialFocus): Should use nullptr, not 0 to initialize NULL pointer.
+
 2016-08-23  Anders Carlsson  <[email protected]>
 
         Add enum traits and use them in the IPC::Decoder

Modified: trunk/Source/WebKit2/WebProcess/WebPage/WebPage.cpp (204940 => 204941)


--- trunk/Source/WebKit2/WebProcess/WebPage/WebPage.cpp	2016-08-24 23:21:14 UTC (rev 204940)
+++ trunk/Source/WebKit2/WebProcess/WebPage/WebPage.cpp	2016-08-24 23:26:20 UTC (rev 204941)
@@ -2519,7 +2519,7 @@
         return;
     }
 
-    m_page->focusController().setInitialFocus(forward ? FocusDirectionForward : FocusDirectionBackward, 0);
+    m_page->focusController().setInitialFocus(forward ? FocusDirectionForward : FocusDirectionBackward, nullptr);
     send(Messages::WebPageProxy::VoidCallback(callbackID));
 }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes