Null deref under TextIndicator::createWithSelectionInFrame using find-in-page on...
authortimothy_horton@apple.com <timothy_horton@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 2 Dec 2014 01:29:43 +0000 (01:29 +0000)
committertimothy_horton@apple.com <timothy_horton@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 2 Dec 2014 01:29:43 +0000 (01:29 +0000)
https://bugs.webkit.org/show_bug.cgi?id=139164
<rdar://problem/19107247>

Reviewed by Beth Dakin.

* page/TextIndicator.cpp:
(WebCore::TextIndicator::createWithSelectionInFrame):
Null-check the ImageBuffer in addition to the Image.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@176617 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/page/TextIndicator.cpp

index 27f432c013f4ea9e55e93704b3e9e86a8e152dbb..49565f708a3b3cdda7f7754b688d218e409fcf96 100644 (file)
@@ -1,3 +1,15 @@
+2014-12-01  Tim Horton  <timothy_horton@apple.com>
+
+        Null deref under TextIndicator::createWithSelectionInFrame using find-in-page on bugzilla
+        https://bugs.webkit.org/show_bug.cgi?id=139164
+        <rdar://problem/19107247>
+
+        Reviewed by Beth Dakin.
+
+        * page/TextIndicator.cpp:
+        (WebCore::TextIndicator::createWithSelectionInFrame):
+        Null-check the ImageBuffer in addition to the Image.
+
 2014-12-01  Anders Carlsson  <andersca@apple.com>
 
         Remove IWebCookieManager on Windows
index 49e5f7e1eb33f873f05975ffa7e7c7592d977d35..befa96908870dd15ef0e828ba4cee6a3d30bfa96 100644 (file)
@@ -133,7 +133,10 @@ static PassRefPtr<Image> snapshotSelectionWithHighlight(Frame& frame)
 PassRefPtr<TextIndicator> TextIndicator::createWithSelectionInFrame(Frame& frame, TextIndicatorPresentationTransition presentationTransition)
 {
     IntRect selectionRect = enclosingIntRect(frame.selection().selectionBounds());
-    RefPtr<Image> indicatorBitmap = snapshotSelection(frame, SnapshotOptionsForceBlackText)->copyImage(CopyBackingStore, Unscaled);
+    std::unique_ptr<ImageBuffer> indicatorBuffer = snapshotSelection(frame, SnapshotOptionsForceBlackText);
+    if (!indicatorBuffer)
+        return nullptr;
+    RefPtr<Image> indicatorBitmap = indicatorBuffer->copyImage(CopyBackingStore, Unscaled);
     if (!indicatorBitmap)
         return nullptr;