Title: [273866] trunk/Source/WebCore
- Revision
- 273866
- Author
- rn...@webkit.org
- Date
- 2021-03-03 17:48:53 -0800 (Wed, 03 Mar 2021)
Log Message
Nulllptr crash in DeleteSelectionCommand::handleGeneralDelete()
https://bugs.webkit.org/show_bug.cgi?id=222681
Reviewed by Wenson Hsieh.
Skip the loop when m_downstreamEnd.isNull() or im_downstreamEnd.isOrphan() is true
to avoid dereferencing a nullptr.
No new tests since we don't have any reproduction for this crash,
and it's not obvious how we're getting into that state.
* editing/DeleteSelectionCommand.cpp:
(WebCore::DeleteSelectionCommand::handleGeneralDelete):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (273865 => 273866)
--- trunk/Source/WebCore/ChangeLog 2021-03-04 01:34:21 UTC (rev 273865)
+++ trunk/Source/WebCore/ChangeLog 2021-03-04 01:48:53 UTC (rev 273866)
@@ -1,3 +1,19 @@
+2021-03-03 Ryosuke Niwa <rn...@webkit.org>
+
+ Nulllptr crash in DeleteSelectionCommand::handleGeneralDelete()
+ https://bugs.webkit.org/show_bug.cgi?id=222681
+
+ Reviewed by Wenson Hsieh.
+
+ Skip the loop when m_downstreamEnd.isNull() or im_downstreamEnd.isOrphan() is true
+ to avoid dereferencing a nullptr.
+
+ No new tests since we don't have any reproduction for this crash,
+ and it's not obvious how we're getting into that state.
+
+ * editing/DeleteSelectionCommand.cpp:
+ (WebCore::DeleteSelectionCommand::handleGeneralDelete):
+
2021-03-03 Devin Rousso <drou...@apple.com>
Web Inspector: `RecordCanvasActionVariant` causes a huge symbol to be created in WebCore
Modified: trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp (273865 => 273866)
--- trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp 2021-03-04 01:34:21 UTC (rev 273865)
+++ trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp 2021-03-04 01:48:53 UTC (rev 273866)
@@ -599,7 +599,7 @@
}
// handle deleting all nodes that are completely selected
- while (node && node != m_downstreamEnd.deprecatedNode()) {
+ while (node && node != m_downstreamEnd.deprecatedNode() && !m_downstreamEnd.isNull() && !m_downstreamEnd.isOrphan()) {
if (firstPositionInOrBeforeNode(node.get()) >= m_downstreamEnd) {
// NodeTraversal::nextSkippingChildren just blew past the end position, so stop deleting
node = nullptr;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes