WebContent crash in WebPage::selectWithGesture()
authorjhoneycutt@apple.com <jhoneycutt@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 5 Nov 2014 20:55:23 +0000 (20:55 +0000)
committerjhoneycutt@apple.com <jhoneycutt@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 5 Nov 2014 20:55:23 +0000 (20:55 +0000)
<https://bugs.webkit.org/show_bug.cgi?id=138399>
<rdar://problem/18550631>

This crash occurs when the web process receives a "TapAndAHalf" gesture
with the "Changed" state without having received a "TapAndAHalf"
gesture with the "Began" state.

No test possible.

Reviewed by Simon Fraser.

* WebProcess/WebPage/ios/WebPageIOS.mm:
(WebKit::WebPage::selectWithGesture):
Null check m_currentWordRange before dereferencing it.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@175636 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit2/ChangeLog
Source/WebKit2/WebProcess/WebPage/ios/WebPageIOS.mm

index 279b907..51b7631 100644 (file)
@@ -1,3 +1,22 @@
+2014-11-04  Jon Honeycutt  <jhoneycutt@apple.com>
+
+        WebContent crash in WebPage::selectWithGesture()
+
+        <https://bugs.webkit.org/show_bug.cgi?id=138399>
+        <rdar://problem/18550631>
+
+        This crash occurs when the web process receives a "TapAndAHalf" gesture
+        with the "Changed" state without having received a "TapAndAHalf"
+        gesture with the "Began" state.
+
+        No test possible.
+
+        Reviewed by Simon Fraser.
+
+        * WebProcess/WebPage/ios/WebPageIOS.mm:
+        (WebKit::WebPage::selectWithGesture):
+        Null check m_currentWordRange before dereferencing it.
+
 2014-11-05  Conrad Shultz  <conrad_shultz@apple.com>
 
         Disable action menus on page previews
index 4ef8cb4..44cb67b 100644 (file)
@@ -893,6 +893,8 @@ void WebPage::selectWithGesture(const IntPoint& point, uint32_t granularity, uin
             m_currentWordRange = Range::create(*frame.document(), range->startPosition(), range->endPosition());
             break;
         case GestureRecognizerState::Changed:
+            if (!m_currentWordRange)
+                break;
             range = Range::create(*frame.document(), m_currentWordRange->startPosition(), m_currentWordRange->endPosition());
             if (position < range->startPosition())
                 range->setStart(position.deepEquivalent(), ASSERT_NO_EXCEPTION);