[webkit-changes] [182162] trunk/Source/WebKit2

[enrica]

Title: [182162] trunk/Source/WebKit2

Revision

182162

Author

enr...@apple.com

Date

2015-03-30 16:25:44 -0700 (Mon, 30 Mar 2015)

Log Message

[iOS] WebContent crashing at WebCore: WebCore::Range::collectSelectionRects.
https://bugs.webkit.org/show_bug.cgi?id=143234
<rdar://problem/18571345>

Reviewed by Tim Horton.

This is a speculative fix that adds a null check before referencing the range.
In both places where the check has been added the range returned by the call
that should create it could be null.

* WebProcess/WebPage/ios/WebPageIOS.mm:
(WebKit::WebPage::platformEditorState):

Modified Paths

• trunk/Source/WebKit2/ChangeLog
• trunk/Source/WebKit2/WebProcess/WebPage/ios/WebPageIOS.mm

Diff

Modified: trunk/Source/WebKit2/ChangeLog (182161 => 182162)

--- trunk/Source/WebKit2/ChangeLog	2015-03-30 23:22:09 UTC (rev 182161)
+++ trunk/Source/WebKit2/ChangeLog	2015-03-30 23:25:44 UTC (rev 182162)
@@ -1,3 +1,18 @@
+2015-03-30  Enrica Casucci  <enr...@apple.com>
+
+        [iOS] WebContent crashing at WebCore: WebCore::Range::collectSelectionRects.
+        https://bugs.webkit.org/show_bug.cgi?id=143234
+        <rdar://problem/18571345>
+
+        Reviewed by Tim Horton.
+
+        This is a speculative fix that adds a null check before referencing the range.
+        In both places where the check has been added the range returned by the call
+        that should create it could be null.
+
+        * WebProcess/WebPage/ios/WebPageIOS.mm:
+        (WebKit::WebPage::platformEditorState):
+
 2015-03-30  Sam Weinig  <s...@webkit.org>
 
         [Content Extensions] Flesh out the UserContentExtensionStore

Modified: trunk/Source/WebKit2/WebProcess/WebPage/ios/WebPageIOS.mm (182161 => 182162)

--- trunk/Source/WebKit2/WebProcess/WebPage/ios/WebPageIOS.mm	2015-03-30 23:22:09 UTC (rev 182161)
+++ trunk/Source/WebKit2/WebProcess/WebPage/ios/WebPageIOS.mm	2015-03-30 23:25:44 UTC (rev 182162)
@@ -134,14 +134,16 @@
     if (frame.editor().hasComposition()) {
         RefPtr<Range> compositionRange = frame.editor().compositionRange();
         Vector<WebCore::SelectionRect> compositionRects;
-        compositionRange->collectSelectionRects(compositionRects);
-        if (compositionRects.size())
-            result.firstMarkedRect = compositionRects[0].rect();
-        if (compositionRects.size() > 1)
-            result.lastMarkedRect = compositionRects.last().rect();
-        else
-            result.lastMarkedRect = result.firstMarkedRect;
-        result.markedText = plainTextReplacingNoBreakSpace(compositionRange.get());
+        if (compositionRange) {
+            compositionRange->collectSelectionRects(compositionRects);
+            if (compositionRects.size())
+                result.firstMarkedRect = compositionRects[0].rect();
+            if (compositionRects.size() > 1)
+                result.lastMarkedRect = compositionRects.last().rect();
+            else
+                result.lastMarkedRect = result.firstMarkedRect;
+            result.markedText = plainTextReplacingNoBreakSpace(compositionRange.get());
+        }
     }
     FrameView* view = frame.view();
     if (selection.isCaret()) {
@@ -159,15 +161,18 @@
         result.caretRectAtStart = view->contentsToRootView(VisiblePosition(selection.start()).absoluteCaretBounds());
         result.caretRectAtEnd = view->contentsToRootView(VisiblePosition(selection.end()).absoluteCaretBounds());
         RefPtr<Range> selectedRange = selection.toNormalizedRange();
-        selectedRange->collectSelectionRects(result.selectionRects);
-        convertSelectionRectsToRootView(view, result.selectionRects);
-        String selectedText = plainTextReplacingNoBreakSpace(selectedRange.get(), TextIteratorDefaultBehavior, true);
+        String selectedText;
+        if (selectedRange) {
+            selectedRange->collectSelectionRects(result.selectionRects);
+            convertSelectionRectsToRootView(view, result.selectionRects);
+            selectedText = plainTextReplacingNoBreakSpace(selectedRange.get(), TextIteratorDefaultBehavior, true);
+            result.selectedTextLength = selectedText.length();
+            const int maxSelectedTextLength = 200;
+            if (selectedText.length() <= maxSelectedTextLength)
+                result.wordAtSelection = selectedText;
+        }
         // FIXME: We should disallow replace when the string contains only CJ characters.
         result.isReplaceAllowed = result.isContentEditable && !result.isInPasswordField && !selectedText.containsOnlyWhitespace();
-        result.selectedTextLength = selectedText.length();
-        const int maxSelectedTextLength = 200;
-        if (selectedText.length() <= maxSelectedTextLength)
-            result.wordAtSelection = selectedText;
     }
     if (!selection.isNone()) {
         Node* nodeToRemove;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes