Fix crashes in ScrollingStateNode::insertChild()
authorsimon.fraser@apple.com <simon.fraser@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 23 Jul 2019 19:50:17 +0000 (19:50 +0000)
committersimon.fraser@apple.com <simon.fraser@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 23 Jul 2019 19:50:17 +0000 (19:50 +0000)
https://bugs.webkit.org/show_bug.cgi?id=200023
rdar://problem/53265378

Reviewed by Darin Adler.

Crash data suggest that ScrollingStateNode::insertChild() can be passed an index that
is larger than the size of the vector, causing crashes.

Fix defensively by falling back to append() if the passed index is equal to or larger
than the size of the children vector.

* page/scrolling/ScrollingStateNode.cpp:
(WebCore::ScrollingStateNode::insertChild):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@247734 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/page/scrolling/ScrollingStateNode.cpp

index 5b716bb..93283ad 100644 (file)
 
 2019-07-22  Simon Fraser  <simon.fraser@apple.com>
 
+        Fix crashes in ScrollingStateNode::insertChild()
+        https://bugs.webkit.org/show_bug.cgi?id=200023
+        rdar://problem/53265378
+
+        Reviewed by Darin Adler.
+
+        Crash data suggest that ScrollingStateNode::insertChild() can be passed an index that
+        is larger than the size of the vector, causing crashes.
+
+        Fix defensively by falling back to append() if the passed index is equal to or larger
+        than the size of the children vector.
+
+        * page/scrolling/ScrollingStateNode.cpp:
+        (WebCore::ScrollingStateNode::insertChild):
+
+2019-07-22  Simon Fraser  <simon.fraser@apple.com>
+
         Make some constructors explicit
         https://bugs.webkit.org/show_bug.cgi?id=199981
 
index 2e6d4d3..fbeae84 100644 (file)
@@ -116,7 +116,12 @@ void ScrollingStateNode::insertChild(Ref<ScrollingStateNode>&& childNode, size_t
         m_children = std::make_unique<Vector<RefPtr<ScrollingStateNode>>>();
     }
 
-    m_children->insert(index, WTFMove(childNode));
+    if (index > m_children->size()) {
+        ASSERT_NOT_REACHED();  // Crash data suggest we can get here.
+        m_children->append(WTFMove(childNode));
+    } else
+        m_children->insert(index, WTFMove(childNode));
+    
     setPropertyChanged(ChildNodes);
 }