Skip to site navigation (Press enter)

[webkit-changes] [273866] trunk/Source/WebCore

rniwa Wed, 03 Mar 2021 17:49:44 -0800

Title: [273866] trunk/Source/WebCore

Revision: 273866
Author: rn...@webkit.org
Date: 2021-03-03 17:48:53 -0800 (Wed, 03 Mar 2021)

Log Message

Nulllptr crash in DeleteSelectionCommand::handleGeneralDelete()
https://bugs.webkit.org/show_bug.cgi?id=222681


Reviewed by Wenson Hsieh.

Skip the loop when m_downstreamEnd.isNull() or im_downstreamEnd.isOrphan() is true
to avoid dereferencing a nullptr.

No new tests since we don't have any reproduction for this crash,
and it's not obvious how we're getting into that state.

* editing/DeleteSelectionCommand.cpp:
(WebCore::DeleteSelectionCommand::handleGeneralDelete):

Modified Paths

trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (273865 => 273866)


--- trunk/Source/WebCore/ChangeLog	2021-03-04 01:34:21 UTC (rev 273865)
+++ trunk/Source/WebCore/ChangeLog	2021-03-04 01:48:53 UTC (rev 273866)
@@ -1,3 +1,19 @@
+2021-03-03  Ryosuke Niwa  <rn...@webkit.org>
+
+        Nulllptr crash in DeleteSelectionCommand::handleGeneralDelete()
+        https://bugs.webkit.org/show_bug.cgi?id=222681
+
+        Reviewed by Wenson Hsieh.
+
+        Skip the loop when m_downstreamEnd.isNull() or im_downstreamEnd.isOrphan() is true
+        to avoid dereferencing a nullptr.
+
+        No new tests since we don't have any reproduction for this crash,
+        and it's not obvious how we're getting into that state.
+
+        * editing/DeleteSelectionCommand.cpp:
+        (WebCore::DeleteSelectionCommand::handleGeneralDelete):
+
 2021-03-03  Devin Rousso  <drou...@apple.com>
 
         Web Inspector: `RecordCanvasActionVariant` causes a huge symbol to be created in WebCore

Modified: trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp (273865 => 273866)


--- trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp	2021-03-04 01:34:21 UTC (rev 273865)
+++ trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp	2021-03-04 01:48:53 UTC (rev 273866)
@@ -599,7 +599,7 @@
         }
         
         // handle deleting all nodes that are completely selected
-        while (node && node != m_downstreamEnd.deprecatedNode()) {
+        while (node && node != m_downstreamEnd.deprecatedNode() && !m_downstreamEnd.isNull() && !m_downstreamEnd.isOrphan()) {
             if (firstPositionInOrBeforeNode(node.get()) >= m_downstreamEnd) {
                 // NodeTraversal::nextSkippingChildren just blew past the end position, so stop deleting
                 node = nullptr;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes