[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

abarth at webkit.org abarth at webkit.org
Wed Dec 22 12:16:47 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit 74cef0e9f67ff56439d3e59db5a98e43cbfc9b54
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Wed Aug 18 07:37:56 2010 +0000

    2010-08-18  Adam Barth  <abarth at webkit.org>
    
            Reviewed by Adele Peterson.
    
            Null dereference in DOMSelection::deleteFromDocument
            https://bugs.webkit.org/show_bug.cgi?id=44153
    
            deleteFromDocument checks selection->isNone() before calling
            selection->selection().toNormalizedRange(), but toNormalizedRange()
            notes that it needs to updateLayout(), which can make the selection
            isNone() again.  In that case, we crash on a NULL pointer in
            deleteFromDocument.  I don't know how to trigger that situation in a
            test, but cross_fuzz was able to hit it, so we should fix it.
    
            * page/DOMSelection.cpp:
            (WebCore::DOMSelection::deleteFromDocument):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@65587 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index ba3c6f8..2af29cd 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,20 @@
+2010-08-18  Adam Barth  <abarth at webkit.org>
+
+        Reviewed by Adele Peterson.
+
+        Null dereference in DOMSelection::deleteFromDocument
+        https://bugs.webkit.org/show_bug.cgi?id=44153
+
+        deleteFromDocument checks selection->isNone() before calling
+        selection->selection().toNormalizedRange(), but toNormalizedRange()
+        notes that it needs to updateLayout(), which can make the selection
+        isNone() again.  In that case, we crash on a NULL pointer in
+        deleteFromDocument.  I don't know how to trigger that situation in a
+        test, but cross_fuzz was able to hit it, so we should fix it.
+
+        * page/DOMSelection.cpp:
+        (WebCore::DOMSelection::deleteFromDocument):
+
 2010-08-17  Girish Ramakrishnan  <girish at forwardbias.in>
 
         Reviewed by Antonio Gomes.
diff --git a/WebCore/page/DOMSelection.cpp b/WebCore/page/DOMSelection.cpp
index d62051e..106dd13 100644
--- a/WebCore/page/DOMSelection.cpp
+++ b/WebCore/page/DOMSelection.cpp
@@ -427,6 +427,8 @@ void DOMSelection::deleteFromDocument()
         selection->modify(SelectionController::AlterationExtend, SelectionController::DirectionBackward, CharacterGranularity);
 
     RefPtr<Range> selectedRange = selection->selection().toNormalizedRange();
+    if (!selectedRange)
+        return;
 
     ExceptionCode ec = 0;
     selectedRange->deleteContents(ec);

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list