Diff
Modified: branches/safari-604-branch/Source/WebCore/ChangeLog (223668 => 223669)
--- branches/safari-604-branch/Source/WebCore/ChangeLog 2017-10-19 05:14:38 UTC (rev 223668)
+++ branches/safari-604-branch/Source/WebCore/ChangeLog 2017-10-19 05:14:42 UTC (rev 223669)
@@ -1,5 +1,37 @@
2017-10-18 Jason Marcell <[email protected]>
+ Cherry-pick r223228. rdar://problem/35061705
+
+ 2017-10-11 Brent Fulgham <[email protected]>
+
+ Correct nullptr deref in selection handling.
+ https://bugs.webkit.org/show_bug.cgi?id=178189
+ <rdar://problem/33833012>
+
+ Reviewed by Ryosuke Niwa.
+
+ The VisibleSelection::toNormalizedRange returns nullptr for certain conditions (e.g., 'isNone'
+ and 'isOrphaned' cases). It's possible to crash the WebProcess by executing a code path with
+ an orphaned selection range.
+
+ The return value of 'toNormalizedRange' is checked for nullptr in many places, but not everywhere.
+ This patch adds those missing nullptr checks.
+
+ * accessibility/ios/WebAccessibilityObjectWrapperIOS.mm:
+ (-[WebAccessibilityObjectWrapper textMarkerRangeForSelection]):
+ * editing/DeleteSelectionCommand.cpp:
+ (WebCore::DeleteSelectionCommand::makeStylingElementsDirectChildrenOfEditableRootToPreventStyleLoss):
+ * editing/EditingStyle.cpp:
+ (WebCore::EditingStyle::styleAtSelectionStart):
+ * editing/Editor.cpp:
+ (WebCore::Editor::misspelledWordAtCaretOrRange const):
+ * page/DOMSelection.cpp:
+ (WebCore::DOMSelection::containsNode const):
+ * page/DragController.cpp:
+ (WebCore::DragController::concludeEditDrag):
+
+2017-10-18 Jason Marcell <[email protected]>
+
Cherry-pick r223210. rdar://problem/34820936
2017-10-11 Simon Fraser <[email protected]>
Modified: branches/safari-604-branch/Source/WebCore/accessibility/ios/WebAccessibilityObjectWrapperIOS.mm (223668 => 223669)
--- branches/safari-604-branch/Source/WebCore/accessibility/ios/WebAccessibilityObjectWrapperIOS.mm 2017-10-19 05:14:38 UTC (rev 223668)
+++ branches/safari-604-branch/Source/WebCore/accessibility/ios/WebAccessibilityObjectWrapperIOS.mm 2017-10-19 05:14:42 UTC (rev 223669)
@@ -2378,6 +2378,9 @@
return nil;
RefPtr<Range> range = selection.toNormalizedRange();
+ if (!range)
+ return nil;
+
CharacterOffset start = cache->startOrEndCharacterOffsetForRange(range, true);
CharacterOffset end = cache->startOrEndCharacterOffsetForRange(range, false);
Modified: branches/safari-604-branch/Source/WebCore/editing/DeleteSelectionCommand.cpp (223668 => 223669)
--- branches/safari-604-branch/Source/WebCore/editing/DeleteSelectionCommand.cpp 2017-10-19 05:14:38 UTC (rev 223668)
+++ branches/safari-604-branch/Source/WebCore/editing/DeleteSelectionCommand.cpp 2017-10-19 05:14:42 UTC (rev 223669)
@@ -461,7 +461,7 @@
void DeleteSelectionCommand::makeStylingElementsDirectChildrenOfEditableRootToPreventStyleLoss()
{
RefPtr<Range> range = m_selectionToDelete.toNormalizedRange();
- RefPtr<Node> node = range->firstNode();
+ RefPtr<Node> node = range ? range->firstNode() : nullptr;
while (node && node != range->pastLastNode()) {
RefPtr<Node> nextNode = NodeTraversal::next(*node);
if ((is<HTMLStyleElement>(*node) && !downcast<HTMLStyleElement>(*node).hasAttributeWithoutSynchronization(scopedAttr)) || is<HTMLLinkElement>(*node)) {
Modified: branches/safari-604-branch/Source/WebCore/editing/EditingStyle.cpp (223668 => 223669)
--- branches/safari-604-branch/Source/WebCore/editing/EditingStyle.cpp 2017-10-19 05:14:38 UTC (rev 223668)
+++ branches/safari-604-branch/Source/WebCore/editing/EditingStyle.cpp 2017-10-19 05:14:42 UTC (rev 223669)
@@ -1447,9 +1447,10 @@
// Also, if the selection is a range, ignore the background color at the start of selection,
// and find the background color of the common ancestor.
if (shouldUseBackgroundColorInEffect && (selection.isRange() || hasTransparentBackgroundColor(style->m_mutableStyle.get()))) {
- RefPtr<Range> range(selection.toNormalizedRange());
- if (auto value = backgroundColorInEffect(range->commonAncestorContainer()))
- style->setProperty(CSSPropertyBackgroundColor, value->cssText());
+ if (auto range = selection.toNormalizedRange()) {
+ if (auto value = backgroundColorInEffect(range->commonAncestorContainer()))
+ style->setProperty(CSSPropertyBackgroundColor, value->cssText());
+ }
}
return WTFMove(style);
Modified: branches/safari-604-branch/Source/WebCore/editing/Editor.cpp (223668 => 223669)
--- branches/safari-604-branch/Source/WebCore/editing/Editor.cpp 2017-10-19 05:14:38 UTC (rev 223668)
+++ branches/safari-604-branch/Source/WebCore/editing/Editor.cpp 2017-10-19 05:14:42 UTC (rev 223669)
@@ -2112,6 +2112,8 @@
VisibleSelection wordSelection(selection.base());
wordSelection.expandUsingGranularity(WordGranularity);
RefPtr<Range> wordRange = wordSelection.toNormalizedRange();
+ if (!wordRange)
+ return String();
// In compliance with GTK+ applications, additionally allow to provide suggestions when the current
// selection exactly match the word selection.
Modified: branches/safari-604-branch/Source/WebCore/page/DOMSelection.cpp (223668 => 223669)
--- branches/safari-604-branch/Source/WebCore/page/DOMSelection.cpp 2017-10-19 05:14:38 UTC (rev 223668)
+++ branches/safari-604-branch/Source/WebCore/page/DOMSelection.cpp 2017-10-19 05:14:42 UTC (rev 223669)
@@ -394,6 +394,8 @@
Ref<Node> protectedNode(node);
auto selectedRange = selection.selection().toNormalizedRange();
+ if (!selectedRange)
+ return false;
ContainerNode* parentNode = node.parentNode();
if (!parentNode || !parentNode->isConnected())
Modified: branches/safari-604-branch/Source/WebCore/page/DragController.cpp (223668 => 223669)
--- branches/safari-604-branch/Source/WebCore/page/DragController.cpp 2017-10-19 05:14:38 UTC (rev 223668)
+++ branches/safari-604-branch/Source/WebCore/page/DragController.cpp 2017-10-19 05:14:42 UTC (rev 223669)
@@ -547,6 +547,8 @@
if (!color.isValid())
return false;
RefPtr<Range> innerRange = innerFrame->selection().toNormalizedRange();
+ if (!innerRange)
+ return false;
RefPtr<MutableStyleProperties> style = MutableStyleProperties::create();
style->setProperty(CSSPropertyColor, color.serialized(), false);
if (!innerFrame->editor().shouldApplyStyle(style.get(), innerRange.get()))
