Google Git
Sign in
webkit / WebKit / 1484cabaf74491228042ba6ff5ae785d49308679^! / . / Source / WebCore / editing / DeleteSelectionCommand.cpp
commit1484cabaf74491228042ba6ff5ae785d49308679[log] [tgz]
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Sat Jun 22 04:04:23 2019 +0000
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Sat Jun 22 04:04:23 2019 +0000
tree7db8c5e8d529dbf2c23cdd7a640fe8b79455aa88
parentbffeeb6175c63517ad77800f0f7cf4e26daa2052 [diff] [blame]
Nullptr crash in DeleteSelectionCommand::handleGeneralDelete
https://bugs.webkit.org/show_bug.cgi?id=199126

Reviewed by Wenson Hsieh.

Added null checks to handleGeneralDelete as well as mergeParagraphs which runs after handleGeneralDelete to be defensive.

Unfortunately no new tests since there is no reproducible test case.

* editing/DeleteSelectionCommand.cpp:
(WebCore::DeleteSelectionCommand::handleGeneralDelete):
(WebCore::DeleteSelectionCommand::mergeParagraphs):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@246706 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/WebCore/editing/DeleteSelectionCommand.cpp b/Source/WebCore/editing/DeleteSelectionCommand.cpp
index ffb96e4..68d1506 100644
--- a/Source/WebCore/editing/DeleteSelectionCommand.cpp
+++ b/Source/WebCore/editing/DeleteSelectionCommand.cpp

@@ -610,7 +610,9 @@
             }
         }
         
-        if (m_downstreamEnd.deprecatedNode() != startNode && !m_upstreamStart.deprecatedNode()->isDescendantOf(m_downstreamEnd.deprecatedNode()) && m_downstreamEnd.anchorNode()->isConnected() && m_downstreamEnd.deprecatedEditingOffset() >= caretMinOffset(*m_downstreamEnd.deprecatedNode())) {
+        if (!m_downstreamEnd.isNull() && !m_downstreamEnd.isOrphan() && m_downstreamEnd.deprecatedNode() != startNode
+            && !m_upstreamStart.deprecatedNode()->isDescendantOf(m_downstreamEnd.deprecatedNode())
+            && m_downstreamEnd.deprecatedEditingOffset() >= caretMinOffset(*m_downstreamEnd.deprecatedNode())) {
             if (m_downstreamEnd.atLastEditingPositionForNode() && !canHaveChildrenForEditing(*m_downstreamEnd.deprecatedNode())) {
                 // The node itself is fully selected, not just its contents.  Delete it.
                 removeNode(*m_downstreamEnd.deprecatedNode());
@@ -679,7 +681,7 @@
     ASSERT(!m_pruneStartBlockIfNecessary);
 
     // FIXME: Deletion should adjust selection endpoints as it removes nodes so that we never get into this state (4099839).
-    if (!m_downstreamEnd.anchorNode()->isConnected() || !m_upstreamStart.anchorNode()->isConnected())
+    if (m_downstreamEnd.isNull() || m_upstreamStart.isNull() || !m_downstreamEnd.anchorNode()->isConnected() || !m_upstreamStart.anchorNode()->isConnected())
          return;
 
     // FIXME: The deletion algorithm shouldn't let this happen.