[webkit-reviews] review granted: [Bug 200023] Fix crashes in ScrollingStateNode::insertChild() : [Attachment 374662] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jul 22 18:52:37 PDT 2019
Darin Adler <darin at apple.com> has granted Simon Fraser (smfr)
<simon.fraser at apple.com>'s request for review:
Bug 200023: Fix crashes in ScrollingStateNode::insertChild()
https://bugs.webkit.org/show_bug.cgi?id=200023
Attachment 374662: Patch
https://bugs.webkit.org/attachment.cgi?id=374662&action=review
--- Comment #3 from Darin Adler <darin at apple.com> ---
Comment on attachment 374662
--> https://bugs.webkit.org/attachment.cgi?id=374662
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=374662&action=review
> Source/WebCore/ChangeLog:13
> + Crash data suggest that ScrollingStateNode::insertChild() can be
passed an index that
> + is larger than the size of the vector, causing crashes.
> +
> + Fix defensively by falling back to append() if the passed index is
equal to or larger
> + than the size of the children vector.
Is there a reason we don’t do this inside the insert function instead? Are
there other call sites where we want the stricter behavior?
What about asserting the index is valid, even if we prevent the crash in such
cases? That could help us some day understand how this happens if we reproduce
in a build with assertions on.
More information about the webkit-reviews
mailing list