[Webkit-unassigned] [Bug 118847] New: Crash in WebCore::createMarkup()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jul 18 06:07:55 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=118847
Summary: Crash in WebCore::createMarkup()
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Layout and Rendering
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: graouts at apple.com
CC: webkit-bug-importer at group.apple.com
We're getting reports of a crash in WebCore::createMarkup(). This is due to code introduced in http://trac.webkit.org/changeset/144995
Index: Source/WebCore/editing/markup.cpp
===================================================================
--- Source/WebCore/editing/markup.cpp (revision 144994)
+++ Source/WebCore/editing/markup.cpp (revision 144995)
...
@@ -522,7 +523,7 @@
Node* checkAncestor = specialCommonAncestor ? specialCommonAncestor : commonAncestor;
if (checkAncestor->renderer()) {
- Node* newSpecialCommonAncestor = highestEnclosingNodeOfType(firstPositionInNode(checkAncestor), &isElementPresentational);
+ Node* newSpecialCommonAncestor = highestEnclosingNodeOfType(firstPositionInNode(checkAncestor), &isElementPresentational, CanCrossEditingBoundary, checkAncestor->renderer()->containingBlock()->node());
if (newSpecialCommonAncestor)
specialCommonAncestor = newSpecialCommonAncestor;
}
The containingBlock() call in the last argument of the new method signature can potentially be null and thus calling node() on it may result in a crash.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list