From b3a6cfc28a47a254fba9d902d29bbb0a4917b039 Mon Sep 17 00:00:00 2001
From: "oliver@apple.com"
 <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Sun, 20 Jul 2008 21:31:49 +0000
Subject: [PATCH] Bug 19757: Crash when an ondragstart handler hides the
 element <https://bugs.webkit.org/show_bug.cgi?id=19757>

Reviewed by Dan Bernstein.

The solution to this is problem is just to null check the renderer
immediately before launching the system drag, and terminate the
drag if the renderer is gone.


git-svn-id: https://svn.webkit.org/repository/webkit/trunk@35256 268f45cc-cd09-0410-ab3c-d52691b4dbfc
---
 WebCore/ChangeLog             | 14 ++++++++++++++
 WebCore/page/EventHandler.cpp | 16 ++++++++++++----
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 040bea1..a6e3b55 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2008-07-20  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Dan Bernstein.
+
+        Bug 19757: Crash when an ondragstart handler hides the element
+        <https://bugs.webkit.org/show_bug.cgi?id=19757>
+
+        The solution to this is problem is just to null check the renderer
+        immediately before launching the system drag, and terminate the
+        drag if the renderer is gone.
+
+        * page/EventHandler.cpp:
+        (WebCore::EventHandler::handleDrag):
+
 2008-07-20  Nikolas Zimmermann  <zimmermann@kde.org>
 
         Reviewed by Oliver.
diff --git a/WebCore/page/EventHandler.cpp b/WebCore/page/EventHandler.cpp
index 459fda6..5e8c4a6 100644
--- a/WebCore/page/EventHandler.cpp
+++ b/WebCore/page/EventHandler.cpp
@@ -1860,9 +1860,16 @@ bool EventHandler::handleDrag(const MouseEventWithHitTestResults& event)
         // image and offset
         if (dragState().m_dragSrcIsDHTML) {
             int srcX, srcY;
-            dragState().m_dragSrc->renderer()->absolutePosition(srcX, srcY);
-            IntSize delta = m_mouseDownPos - IntPoint(srcX, srcY);
-            dragState().m_dragClipboard->setDragImageElement(dragState().m_dragSrc.get(), IntPoint() + delta);
+            if (RenderObject* renderer = dragState().m_dragSrc->renderer()) {
+                renderer->absolutePosition(srcX, srcY);
+                IntSize delta = m_mouseDownPos - IntPoint(srcX, srcY);
+                dragState().m_dragClipboard->setDragImageElement(dragState().m_dragSrc.get(), IntPoint() + delta);
+            } else {
+                // The renderer has disappeared, this can happen if the onStartDrag handler has hidden
+                // the element in some way.  In this case we just kill the drag.
+                m_mouseDownMayStartDrag = false;
+                goto cleanupDrag;
+            }
         } 
         
         m_mouseDownMayStartDrag = dispatchDragSrcEvent(dragstartEvent, m_mouseDown)
@@ -1892,7 +1899,8 @@ bool EventHandler::handleDrag(const MouseEventWithHitTestResults& event)
             m_mouseDownMayStartDrag = false;
         }
     } 
-    
+
+cleanupDrag:
     if (!m_mouseDownMayStartDrag) {
         // something failed to start the drag, cleanup
         freeClipboard();
-- 
1.8.3.1