Title: [203082] trunk/Source/WebCore
- Revision
- 203082
- Author
- [email protected]
- Date
- 2016-07-11 13:53:48 -0700 (Mon, 11 Jul 2016)
Log Message
Possible null dereference under EventHandler::dispatchMouseEvent()
https://bugs.webkit.org/show_bug.cgi?id=159632
<rdar://problem/27247619>
Reviewed by Andreas Kling.
FrameSelection::toNormalizedRange() can return null even when FrameSelection::isRange()
returns true so add a null check.
* page/EventHandler.cpp:
(WebCore::EventHandler::dispatchMouseEvent):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (203081 => 203082)
--- trunk/Source/WebCore/ChangeLog 2016-07-11 20:48:15 UTC (rev 203081)
+++ trunk/Source/WebCore/ChangeLog 2016-07-11 20:53:48 UTC (rev 203082)
@@ -1,3 +1,17 @@
+2016-07-11 Chris Dumez <[email protected]>
+
+ Possible null dereference under EventHandler::dispatchMouseEvent()
+ https://bugs.webkit.org/show_bug.cgi?id=159632
+ <rdar://problem/27247619>
+
+ Reviewed by Andreas Kling.
+
+ FrameSelection::toNormalizedRange() can return null even when FrameSelection::isRange()
+ returns true so add a null check.
+
+ * page/EventHandler.cpp:
+ (WebCore::EventHandler::dispatchMouseEvent):
+
2016-07-11 Commit Queue <[email protected]>
Unreviewed, rolling out r203064.
Modified: trunk/Source/WebCore/page/EventHandler.cpp (203081 => 203082)
--- trunk/Source/WebCore/page/EventHandler.cpp 2016-07-11 20:48:15 UTC (rev 203081)
+++ trunk/Source/WebCore/page/EventHandler.cpp 2016-07-11 20:53:48 UTC (rev 203082)
@@ -2511,10 +2511,12 @@
// node on mouse down if it's selected and inside a focused node. It will be
// focused if the user does a mouseup over it, however, because the mouseup
// will set a selection inside it, which will call setFocuseNodeIfNeeded.
- if (m_frame.selection().isRange()
- && m_frame.selection().toNormalizedRange()->compareNode(*element, IGNORE_EXCEPTION) == Range::NODE_INSIDE
- && element->isDescendantOf(m_frame.document()->focusedElement()))
- return true;
+ if (m_frame.selection().isRange()) {
+ if (auto range = m_frame.selection().toNormalizedRange()) {
+ if (range->compareNode(*element, IGNORE_EXCEPTION) == Range::NODE_INSIDE && element->isDescendantOf(m_frame.document()->focusedElement()))
+ return true;
+ }
+ }
break;
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
