[webkit-changes] [176617] trunk/Source/WebCore

[timothy_horton]

Title: [176617] trunk/Source/WebCore

Revision

176617

Author

timothy_hor...@apple.com

Date

2014-12-01 17:29:43 -0800 (Mon, 01 Dec 2014)

Log Message

Null deref under TextIndicator::createWithSelectionInFrame using find-in-page on bugzilla
https://bugs.webkit.org/show_bug.cgi?id=139164
<rdar://problem/19107247>

Reviewed by Beth Dakin.

* page/TextIndicator.cpp:
(WebCore::TextIndicator::createWithSelectionInFrame):
Null-check the ImageBuffer in addition to the Image.

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/page/TextIndicator.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (176616 => 176617)

--- trunk/Source/WebCore/ChangeLog	2014-12-02 01:16:04 UTC (rev 176616)
+++ trunk/Source/WebCore/ChangeLog	2014-12-02 01:29:43 UTC (rev 176617)
@@ -1,3 +1,15 @@
+2014-12-01  Tim Horton  <timothy_hor...@apple.com>
+
+        Null deref under TextIndicator::createWithSelectionInFrame using find-in-page on bugzilla
+        https://bugs.webkit.org/show_bug.cgi?id=139164
+        <rdar://problem/19107247>
+
+        Reviewed by Beth Dakin.
+
+        * page/TextIndicator.cpp:
+        (WebCore::TextIndicator::createWithSelectionInFrame):
+        Null-check the ImageBuffer in addition to the Image.
+
 2014-12-01  Anders Carlsson  <ander...@apple.com>
 
         Remove IWebCookieManager on Windows

Modified: trunk/Source/WebCore/page/TextIndicator.cpp (176616 => 176617)

--- trunk/Source/WebCore/page/TextIndicator.cpp	2014-12-02 01:16:04 UTC (rev 176616)
+++ trunk/Source/WebCore/page/TextIndicator.cpp	2014-12-02 01:29:43 UTC (rev 176617)
@@ -133,7 +133,10 @@
 PassRefPtr<TextIndicator> TextIndicator::createWithSelectionInFrame(Frame& frame, TextIndicatorPresentationTransition presentationTransition)
 {
     IntRect selectionRect = enclosingIntRect(frame.selection().selectionBounds());
-    RefPtr<Image> indicatorBitmap = snapshotSelection(frame, SnapshotOptionsForceBlackText)->copyImage(CopyBackingStore, Unscaled);
+    std::unique_ptr<ImageBuffer> indicatorBuffer = snapshotSelection(frame, SnapshotOptionsForceBlackText);
+    if (!indicatorBuffer)
+        return nullptr;
+    RefPtr<Image> indicatorBitmap = indicatorBuffer->copyImage(CopyBackingStore, Unscaled);
     if (!indicatorBitmap)
         return nullptr;
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes