New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 694414 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Feb 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Null pointer dereference in DOMSelection::addRange()

Project Member Reported by ClusterFuzz, Feb 21 2017

Issue description

Cc: msrchandra@chromium.org yosin@chromium.org
Components: Blink>Editing
Labels: Test-Predator-Correct-CLs M-58
Owner: tkent@chromium.org
Status: Assigned (was: Untriaged)
Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: tkent
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/552ceb6deed19e86f89eb32b8fb3923217cefd7e
Time: Mon Feb 20 08:49:02 2017
File DOMSelection.cpp is changed in this cl (and is part of stack frame #3, "blink::DOMSelection::addRange")
Minimum distance from crash line to modified line: 2. (file: DOMSelection.cpp, crashed on: 632, modified: 634). 

Author: yosin
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/2090c9f72c7eebd76726965cfc7d15cb8d1cc12d
Time: Mon Feb 20 11:30:14 2017
File DOMSelection.cpp is changed in this cl (and is part of stack frame #3, "blink::DOMSelection::addRange")
Minimum distance from crash line to modified line: 34. (file: DOMSelection.cpp, crashed on: 632, modified: 666).

@tkent -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by tkent@chromium.org, Feb 22 2017

Summary: Null pointer dereference in DOMSelection::addRange() (was: Crash in get)
Hand-minimized test case:

<script>
document.head.textContent = "|||||||OOOOOOOObbbb|Jq'IEEEEEEEf";
getSelection().collapse(document.documentElement);
var oRange = getSelection().getRangeAt(0).cloneRange();
getSelection().addRange(oRange);
</script>


Comment 3 by tkent@chromium.org, Feb 22 2017

Status: Started (was: Assigned)

Comment 4 by tkent@chromium.org, Feb 22 2017

Issue 694839 has been merged into this issue.
Project Member

Comment 5 by bugdroid1@chromium.org, Feb 22 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ca0cbc0427aa4c5a60e00ce75a004e44347056eb

commit ca0cbc0427aa4c5a60e00ce75a004e44347056eb
Author: tkent <tkent@chromium.org>
Date: Wed Feb 22 09:28:03 2017

Selection API: Fix a null pointer dereference in addRange().

FrameSelection::firstRange() can be null if the cached Range points invisible
elements.

BUG= 694414 

Review-Url: https://codereview.chromium.org/2707993004
Cr-Commit-Position: refs/heads/master@{#451954}

[add] https://crrev.com/ca0cbc0427aa4c5a60e00ce75a004e44347056eb/third_party/WebKit/LayoutTests/editing/selection/addrange-crash.html
[modify] https://crrev.com/ca0cbc0427aa4c5a60e00ce75a004e44347056eb/third_party/WebKit/Source/core/editing/DOMSelection.cpp

Comment 7 by tkent@chromium.org, Feb 23 2017

Status: Fixed (was: Started)

Sign in to add a comment