Title: [287449] trunk/Source/WebCore
- Revision
- 287449
- Author
- [email protected]
- Date
- 2021-12-26 13:53:12 -0800 (Sun, 26 Dec 2021)
Log Message
null ptr deref in WebCore::indexForVisiblePosition()
https://bugs.webkit.org/show_bug.cgi?id=234255
Patch by Frédéric Wang <[email protected]> on 2021-12-26
Reviewed by Darin Adler.
* editing/InsertListCommand.cpp:
(WebCore::InsertListCommand::doApply): Ensure endOfSelection did not become orphan before
calling indexForVisiblePosition(). This may happen because the VisiblePosition constructor
is called in the while loop, triggering re-layout and post-layout tasks.
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (287448 => 287449)
--- trunk/Source/WebCore/ChangeLog 2021-12-26 21:40:03 UTC (rev 287448)
+++ trunk/Source/WebCore/ChangeLog 2021-12-26 21:53:12 UTC (rev 287449)
@@ -1,3 +1,15 @@
+2021-12-26 Frédéric Wang <[email protected]>
+
+ null ptr deref in WebCore::indexForVisiblePosition()
+ https://bugs.webkit.org/show_bug.cgi?id=234255
+
+ Reviewed by Darin Adler.
+
+ * editing/InsertListCommand.cpp:
+ (WebCore::InsertListCommand::doApply): Ensure endOfSelection did not become orphan before
+ calling indexForVisiblePosition(). This may happen because the VisiblePosition constructor
+ is called in the while loop, triggering re-layout and post-layout tasks.
+
2021-12-26 Tim Nguyen <[email protected]>
Remove -webkit-{border-fit/margin-collapse} leftovers in StyleRareNonInheritedData
Modified: trunk/Source/WebCore/editing/InsertListCommand.cpp (287448 => 287449)
--- trunk/Source/WebCore/editing/InsertListCommand.cpp 2021-12-26 21:40:03 UTC (rev 287448)
+++ trunk/Source/WebCore/editing/InsertListCommand.cpp 2021-12-26 21:53:12 UTC (rev 287449)
@@ -166,6 +166,8 @@
// the beginning of the document to the endOfSelection everytime this code is executed.
// But not using index is hard because there are so many ways we can lose selection inside doApplyForSingleParagraph.
RefPtr<ContainerNode> scope;
+ if (endOfSelection.isOrphan())
+ return;
int indexForEndOfSelection = indexForVisiblePosition(endOfSelection, scope);
doApplyForSingleParagraph(forceCreateList, listTag, currentSelection);
if (endOfSelection.isNull() || endOfSelection.isOrphan() || startOfLastParagraph.isNull() || startOfLastParagraph.isOrphan()) {
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
