Title: [202757] trunk/Source
- Revision
- 202757
- Author
- [email protected]
- Date
- 2016-07-01 13:59:08 -0700 (Fri, 01 Jul 2016)
Log Message
[iOS] Possible null Range dereference under computeAutocorrectionContext()
https://bugs.webkit.org/show_bug.cgi?id=159328
<rdar://problem/26766720>
Reviewed by Benjamin Poulain.
Source/WebCore:
* editing/Editor.cpp:
(WebCore::Editor::compositionRange):
* editing/Editor.h:
Update to return a RefPtr instead of a PassRefPtr and use nullptr
instead of 0 in the implementation.
Source/WebKit2:
The code in computeAutocorrectionContext() was checking Editor::hasComposition()
before dereferencing Editor::compositionRange(). However, compositionRange()
can also return null in other cases (e.g. compositionStart == compositionEnd).
Drop the check for hasComposition() and do a null check on the value returned
by compositionRange() instead.
* WebProcess/WebPage/ios/WebPageIOS.mm:
(WebKit::computeAutocorrectionContext):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (202756 => 202757)
--- trunk/Source/WebCore/ChangeLog 2016-07-01 20:58:12 UTC (rev 202756)
+++ trunk/Source/WebCore/ChangeLog 2016-07-01 20:59:08 UTC (rev 202757)
@@ -1,3 +1,17 @@
+2016-07-01 Chris Dumez <[email protected]>
+
+ [iOS] Possible null Range dereference under computeAutocorrectionContext()
+ https://bugs.webkit.org/show_bug.cgi?id=159328
+ <rdar://problem/26766720>
+
+ Reviewed by Benjamin Poulain.
+
+ * editing/Editor.cpp:
+ (WebCore::Editor::compositionRange):
+ * editing/Editor.h:
+ Update to return a RefPtr instead of a PassRefPtr and use nullptr
+ instead of 0 in the implementation.
+
2016-07-01 Jon Davis <[email protected]>
Updated Picture element and WOFF 2 status
Modified: trunk/Source/WebCore/editing/Editor.cpp (202756 => 202757)
--- trunk/Source/WebCore/editing/Editor.cpp 2016-07-01 20:58:12 UTC (rev 202756)
+++ trunk/Source/WebCore/editing/Editor.cpp 2016-07-01 20:59:08 UTC (rev 202757)
@@ -2823,15 +2823,15 @@
revealSelectionAfterEditingOperation(ScrollAlignment::alignToEdgeIfNeeded, RevealExtent);
}
-PassRefPtr<Range> Editor::compositionRange() const
+RefPtr<Range> Editor::compositionRange() const
{
if (!m_compositionNode)
- return 0;
+ return nullptr;
unsigned length = m_compositionNode->length();
unsigned start = std::min(m_compositionStart, length);
unsigned end = std::min(std::max(start, m_compositionEnd), length);
if (start >= end)
- return 0;
+ return nullptr;
return Range::create(m_compositionNode->document(), m_compositionNode.get(), start, m_compositionNode.get(), end);
}
Modified: trunk/Source/WebCore/editing/Editor.h (202756 => 202757)
--- trunk/Source/WebCore/editing/Editor.h 2016-07-01 20:58:12 UTC (rev 202756)
+++ trunk/Source/WebCore/editing/Editor.h 2016-07-01 20:59:08 UTC (rev 202757)
@@ -304,7 +304,7 @@
WEBCORE_EXPORT void confirmComposition(const String&); // if no existing composition, replaces selection
WEBCORE_EXPORT void cancelComposition();
bool cancelCompositionIfSelectionIsInvalid();
- WEBCORE_EXPORT PassRefPtr<Range> compositionRange() const;
+ WEBCORE_EXPORT RefPtr<Range> compositionRange() const;
WEBCORE_EXPORT bool getCompositionSelection(unsigned& selectionStart, unsigned& selectionEnd) const;
// getting international text input composition state (for use by InlineTextBox)
Modified: trunk/Source/WebKit2/ChangeLog (202756 => 202757)
--- trunk/Source/WebKit2/ChangeLog 2016-07-01 20:58:12 UTC (rev 202756)
+++ trunk/Source/WebKit2/ChangeLog 2016-07-01 20:59:08 UTC (rev 202757)
@@ -1,3 +1,21 @@
+2016-07-01 Chris Dumez <[email protected]>
+
+ [iOS] Possible null Range dereference under computeAutocorrectionContext()
+ https://bugs.webkit.org/show_bug.cgi?id=159328
+ <rdar://problem/26766720>
+
+ Reviewed by Benjamin Poulain.
+
+ The code in computeAutocorrectionContext() was checking Editor::hasComposition()
+ before dereferencing Editor::compositionRange(). However, compositionRange()
+ can also return null in other cases (e.g. compositionStart == compositionEnd).
+
+ Drop the check for hasComposition() and do a null check on the value returned
+ by compositionRange() instead.
+
+ * WebProcess/WebPage/ios/WebPageIOS.mm:
+ (WebKit::computeAutocorrectionContext):
+
2016-07-01 Brent Fulgham <[email protected]>
Prevent crash when attempting to copy an image
Modified: trunk/Source/WebKit2/WebProcess/WebPage/ios/WebPageIOS.mm (202756 => 202757)
--- trunk/Source/WebKit2/WebProcess/WebPage/ios/WebPageIOS.mm 2016-07-01 20:58:12 UTC (rev 202756)
+++ trunk/Source/WebKit2/WebProcess/WebPage/ios/WebPageIOS.mm 2016-07-01 20:59:08 UTC (rev 202757)
@@ -2191,12 +2191,12 @@
if (frame.selection().isRange())
selectedText = plainTextReplacingNoBreakSpace(frame.selection().selection().toNormalizedRange().get());
- if (frame.editor().hasComposition()) {
- range = Range::create(*frame.document(), frame.editor().compositionRange()->startPosition(), startPosition);
+ if (auto compositionRange = frame.editor().compositionRange()) {
+ range = Range::create(*frame.document(), compositionRange->startPosition(), startPosition);
String markedTextBefore;
if (range)
markedTextBefore = plainTextReplacingNoBreakSpace(range.get());
- range = Range::create(*frame.document(), endPosition, frame.editor().compositionRange()->endPosition());
+ range = Range::create(*frame.document(), endPosition, compositionRange->endPosition());
String markedTextAfter;
if (range)
markedTextAfter = plainTextReplacingNoBreakSpace(range.get());
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
