1. 18 Aug, 2010 1 commit
    • abarth@webkit.org's avatar
      2010-08-18 Adam Barth <abarth@webkit.org> · 74cef0e9
      abarth@webkit.org authored
              Reviewed by Adele Peterson.
      
              Null dereference in DOMSelection::deleteFromDocument
              https://bugs.webkit.org/show_bug.cgi?id=44153
      
              deleteFromDocument checks selection->isNone() before calling
              selection->selection().toNormalizedRange(), but toNormalizedRange()
              notes that it needs to updateLayout(), which can make the selection
              isNone() again.  In that case, we crash on a NULL pointer in
              deleteFromDocument.  I don't know how to trigger that situation in a
              test, but cross_fuzz was able to hit it, so we should fix it.
      
              * page/DOMSelection.cpp:
              (WebCore::DOMSelection::deleteFromDocument):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@65587 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      74cef0e9
  2. 17 Aug, 2010 39 commits