Skip to site navigation (Press enter)

[webkit-changes] [261961] trunk/Source/WebCore

graouts Wed, 20 May 2020 14:52:09 -0700

Title: [261961] trunk/Source/WebCore

Revision: 261961
Author: grao...@webkit.org
Date: 2020-05-20 14:51:57 -0700 (Wed, 20 May 2020)

Log Message

Potential crash in PointerCaptureController::cancelPointer()
https://bugs.webkit.org/show_bug.cgi?id=208347
<rdar://problem/59866247>


Reviewed by David Kilzer and Daniel Bates.

* page/PointerCaptureController.cpp:
(WebCore::PointerCaptureController::cancelPointer):

Modified Paths

trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/page/PointerCaptureController.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (261960 => 261961)


--- trunk/Source/WebCore/ChangeLog	2020-05-20 21:33:24 UTC (rev 261960)
+++ trunk/Source/WebCore/ChangeLog	2020-05-20 21:51:57 UTC (rev 261961)
@@ -1,3 +1,14 @@
+2020-05-20  Antoine Quint  <grao...@apple.com>
+
+        Potential crash in PointerCaptureController::cancelPointer()
+        https://bugs.webkit.org/show_bug.cgi?id=208347
+        <rdar://problem/59866247>
+
+        Reviewed by David Kilzer and Daniel Bates.
+
+        * page/PointerCaptureController.cpp:
+        (WebCore::PointerCaptureController::cancelPointer):
+
 2020-05-20  Oriol Brufau  <obru...@igalia.com>
 
         [css-grid] Fix auto repeat with multiple tracks and gutters

Modified: trunk/Source/WebCore/page/PointerCaptureController.cpp (261960 => 261961)


--- trunk/Source/WebCore/page/PointerCaptureController.cpp	2020-05-20 21:33:24 UTC (rev 261960)
+++ trunk/Source/WebCore/page/PointerCaptureController.cpp	2020-05-20 21:51:57 UTC (rev 261961)
@@ -460,12 +460,12 @@
     capturingData.previousTarget = nullptr;
 #endif
 
-    auto& target = capturingData.targetOverride;
-    if (!target) {
+    auto target = [&]() -> RefPtr<Element> {
+        if (capturingData.targetOverride)
+            return capturingData.targetOverride;
         constexpr OptionSet<HitTestRequest::RequestType> hitType { HitTestRequest::ReadOnly, HitTestRequest::Active, HitTestRequest::DisallowUserAgentShadowContent, HitTestRequest::AllowChildFrameContent };
-        // FIXME: The target will always be nullptr when we exit this scope.
-        target = m_page.mainFrame().eventHandler().hitTestResultAtPoint(documentPoint, hitType).innerNonSharedElement();
-    }
+        return m_page.mainFrame().eventHandler().hitTestResultAtPoint(documentPoint, hitType).innerNonSharedElement();
+    }();
 
     if (!target)
         return;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes