Title: [275320] trunk
- Revision
- 275320
- Author
- commit-qu...@webkit.org
- Date
- 2021-03-31 16:38:30 -0700 (Wed, 31 Mar 2021)
Log Message
Null pointer access crash in WebCore::makeBoundaryPoint(..)
https://bugs.webkit.org/show_bug.cgi?id=223977
Patch by Venky Dass <yaranamavenkataram...@apple.com> on 2021-03-31
Reviewed by Darin Adler.
Source/WebCore:
In makeBoundaryPoint, position.containerNode() can be nullptr even if position.isNull() was false
Test: LayoutTests/editing/inserting/crash-make-boundary-point.html
* dom/Position.cpp:
(WebCore::makeBoundaryPoint):
LayoutTests:
Adding a refression test case.
* editing/inserting/crash-make-boundary-point-expected.txt: Added.
* editing/inserting/crash-make-boundary-point.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (275319 => 275320)
--- trunk/LayoutTests/ChangeLog 2021-03-31 23:35:43 UTC (rev 275319)
+++ trunk/LayoutTests/ChangeLog 2021-03-31 23:38:30 UTC (rev 275320)
@@ -1,3 +1,15 @@
+2021-03-31 Venky Dass <yaranamavenkataram...@apple.com>
+
+ Null pointer access crash in WebCore::makeBoundaryPoint(..)
+ https://bugs.webkit.org/show_bug.cgi?id=223977
+
+ Reviewed by Darin Adler.
+
+ Adding a refression test case.
+
+ * editing/inserting/crash-make-boundary-point-expected.txt: Added.
+ * editing/inserting/crash-make-boundary-point.html: Added.
+
2021-03-31 Chris Gambrell <cgambr...@apple.com>
[LayoutTests] Convert http/tests/contentextensions convert PHP to Python
Added: trunk/LayoutTests/editing/inserting/crash-make-boundary-point-expected.txt (0 => 275320)
--- trunk/LayoutTests/editing/inserting/crash-make-boundary-point-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/inserting/crash-make-boundary-point-expected.txt 2021-03-31 23:38:30 UTC (rev 275320)
@@ -0,0 +1 @@
+PASS. WebKit did not crash.
Added: trunk/LayoutTests/editing/inserting/crash-make-boundary-point.html (0 => 275320)
--- trunk/LayoutTests/editing/inserting/crash-make-boundary-point.html (rev 0)
+++ trunk/LayoutTests/editing/inserting/crash-make-boundary-point.html 2021-03-31 23:38:30 UTC (rev 275320)
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+ style, script, head {
+ display: block;
+ }
+</style>
+<script>
+function runTest()
+{
+ document.documentElement.appendChild(document.createElement('input'));
+ document.execCommand('SelectAll');
+ document.designMode = 'on';
+ document.execCommand('JustifyRight');
+ document.execCommand('FormatBlock', false, 'div');
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ document.documentElement.textContent = 'PASS. WebKit did not crash.';
+}
+window._onload_ = runTest;
+</script>
+</head>
+<body></body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (275319 => 275320)
--- trunk/Source/WebCore/ChangeLog 2021-03-31 23:35:43 UTC (rev 275319)
+++ trunk/Source/WebCore/ChangeLog 2021-03-31 23:38:30 UTC (rev 275320)
@@ -1,3 +1,17 @@
+2021-03-31 Venky Dass <yaranamavenkataram...@apple.com>
+
+ Null pointer access crash in WebCore::makeBoundaryPoint(..)
+ https://bugs.webkit.org/show_bug.cgi?id=223977
+
+ Reviewed by Darin Adler.
+
+ In makeBoundaryPoint, position.containerNode() can be nullptr even if position.isNull() was false
+
+ Test: LayoutTests/editing/inserting/crash-make-boundary-point.html
+
+ * dom/Position.cpp:
+ (WebCore::makeBoundaryPoint):
+
2021-03-31 Eric Carlson <eric.carl...@apple.com>
[macOS] MediaSessionCoordinator should have join and leave methods
Modified: trunk/Source/WebCore/dom/Position.cpp (275319 => 275320)
--- trunk/Source/WebCore/dom/Position.cpp 2021-03-31 23:35:43 UTC (rev 275319)
+++ trunk/Source/WebCore/dom/Position.cpp 2021-03-31 23:38:30 UTC (rev 275320)
@@ -1594,9 +1594,10 @@
Optional<BoundaryPoint> makeBoundaryPoint(const Position& position)
{
- if (position.isNull())
+ auto container = makeRefPtr(position.containerNode());
+ if (!container)
return WTF::nullopt;
- return BoundaryPoint { *position.containerNode(), static_cast<unsigned>(position.computeOffsetInContainerNode()) };
+ return BoundaryPoint { container.releaseNonNull(), static_cast<unsigned>(position.computeOffsetInContainerNode()) };
}
PartialOrdering documentOrder(const Position& a, const Position& b)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
