Skip to site navigation (Press enter)

[webkit-changes] [261558] trunk/Source/WebCore

simon . fraser Tue, 12 May 2020 10:02:24 -0700

Title: [261558] trunk/Source/WebCore

Revision: 261558
Author: [email protected]
Date: 2020-05-12 10:00:43 -0700 (Tue, 12 May 2020)

Log Message

Speculative fix for crash in ScrollingTree::handleWheelEvent()
https://bugs.webkit.org/show_bug.cgi?id=211763
<rdar://problem/62926117>


Reviewed by Andy Estes.

Crash data shows a null-deref crash in ScrollingTree::handleWheelEvent() which
is most likely because m_rootNode is null. Protect against this.

* page/scrolling/ScrollingTree.cpp:
(WebCore::ScrollingTree::handleWheelEvent):

Modified Paths

trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/page/scrolling/ScrollingTree.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (261557 => 261558)


--- trunk/Source/WebCore/ChangeLog	2020-05-12 16:45:31 UTC (rev 261557)
+++ trunk/Source/WebCore/ChangeLog	2020-05-12 17:00:43 UTC (rev 261558)
@@ -1,3 +1,17 @@
+2020-05-12  Simon Fraser  <[email protected]>
+
+        Speculative fix for crash in ScrollingTree::handleWheelEvent()
+        https://bugs.webkit.org/show_bug.cgi?id=211763
+        <rdar://problem/62926117>
+
+        Reviewed by Andy Estes.
+
+        Crash data shows a null-deref crash in ScrollingTree::handleWheelEvent() which
+        is most likely because m_rootNode is null. Protect against this.
+
+        * page/scrolling/ScrollingTree.cpp:
+        (WebCore::ScrollingTree::handleWheelEvent):
+
 2020-05-12  Youenn Fablet  <[email protected]>
 
         Allow WebAudioBufferList to dynamically change its number of frames

Modified: trunk/Source/WebCore/page/scrolling/ScrollingTree.cpp (261557 => 261558)


--- trunk/Source/WebCore/page/scrolling/ScrollingTree.cpp	2020-05-12 16:45:31 UTC (rev 261557)
+++ trunk/Source/WebCore/page/scrolling/ScrollingTree.cpp	2020-05-12 17:00:43 UTC (rev 261558)
@@ -104,13 +104,12 @@
     m_latchingController.receivedWheelEvent(wheelEvent, m_allowLatching);
 
     auto result = [&] {
-        if (!asyncFrameOrOverflowScrollingEnabled()) {
-            if (m_rootNode)
-                return m_rootNode->handleWheelEvent(wheelEvent);
-
+        if (!m_rootNode)
             return ScrollingEventResult::DidNotHandleEvent;
-        }
 
+        if (!asyncFrameOrOverflowScrollingEnabled())
+            return m_rootNode->handleWheelEvent(wheelEvent);
+
         if (m_gestureState.handleGestureCancel(wheelEvent))
             return ScrollingEventResult::DidHandleEvent;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes