[webkit-changes] [214003] trunk/Source/WebKit2

Wed, 15 Mar 2017 12:56:34 -0700

Title: [214003] trunk/Source/WebKit2
Revision
214003
Author
wenson_hs...@apple.com
Date
2017-03-15 12:56:03 -0700 (Wed, 15 Mar 2017)

Log Message

WebContent crash due to bad variant access in WebKit: WebKit::WebPage::expandedRangeFromHandle
https://bugs.webkit.org/show_bug.cgi?id=169657
<rdar://problem/30631070>

Reviewed by Tim Horton.

In WebPageIOS.mm, the call to unionDOMRanges from WebPage::expandedRangeFromHandle invokes
Range::compareBoundaryPoints, assuming that the return value is not an exception, and then attempts to perform
integer comparison on the result. This is one speculative cause of the web content crash in the radar.

There isn't a known way to reproduce this crash.

* WebProcess/WebPage/ios/WebPageIOS.mm:
(WebKit::unionDOMRanges):

Modified Paths

Diff

Modified: trunk/Source/WebKit2/ChangeLog (214002 => 214003)


--- trunk/Source/WebKit2/ChangeLog	2017-03-15 19:35:02 UTC (rev 214002)
+++ trunk/Source/WebKit2/ChangeLog	2017-03-15 19:56:03 UTC (rev 214003)
@@ -1,3 +1,20 @@
+2017-03-15  Wenson Hsieh  <wenson_hs...@apple.com>
+
+        WebContent crash due to bad variant access in WebKit: WebKit::WebPage::expandedRangeFromHandle
+        https://bugs.webkit.org/show_bug.cgi?id=169657
+        <rdar://problem/30631070>
+
+        Reviewed by Tim Horton.
+
+        In WebPageIOS.mm, the call to unionDOMRanges from WebPage::expandedRangeFromHandle invokes
+        Range::compareBoundaryPoints, assuming that the return value is not an exception, and then attempts to perform
+        integer comparison on the result. This is one speculative cause of the web content crash in the radar.
+
+        There isn't a known way to reproduce this crash.
+
+        * WebProcess/WebPage/ios/WebPageIOS.mm:
+        (WebKit::unionDOMRanges):
+
 2017-03-15  Tim Horton  <timothy_hor...@apple.com>
 
         Un-deprecate the original PDFPlugin

Modified: trunk/Source/WebKit2/WebProcess/WebPage/ios/WebPageIOS.mm (214002 => 214003)


--- trunk/Source/WebKit2/WebProcess/WebPage/ios/WebPageIOS.mm	2017-03-15 19:35:02 UTC (rev 214002)
+++ trunk/Source/WebKit2/WebProcess/WebPage/ios/WebPageIOS.mm	2017-03-15 19:56:03 UTC (rev 214003)
@@ -1292,9 +1292,17 @@
     if (!rangeA)
         return rangeB;
 
-    Range* start = rangeA->compareBoundaryPoints(Range::START_TO_START, *rangeB).releaseReturnValue() <= 0 ? rangeA : rangeB;
-    Range* end = rangeA->compareBoundaryPoints(Range::END_TO_END, *rangeB).releaseReturnValue() <= 0 ? rangeB : rangeA;
+    auto startToStartComparison = rangeA->compareBoundaryPoints(Range::START_TO_START, *rangeB);
+    if (startToStartComparison.hasException())
+        return nullptr;
 
+    auto endToEndComparison = rangeA->compareBoundaryPoints(Range::END_TO_END, *rangeB);
+    if (endToEndComparison.hasException())
+        return nullptr;
+
+    auto* start = startToStartComparison.releaseReturnValue() <= 0 ? rangeA : rangeB;
+    auto* end = endToEndComparison.releaseReturnValue() <= 0 ? rangeB : rangeA;
+
     return Range::create(rangeA->ownerDocument(), &start->startContainer(), start->startOffset(), &end->endContainer(), end->endOffset());
 }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to