NULL ptr in WebCore::RenderSVGInlineText::localCaretRect

https://bugs.webkit.org/show_bug.cgi?id=75851

Patch by Stephen Chenney <schenney@chromium.org> on 2012-01-17
Reviewed by Ryosuke Niwa.

.:

Added a check for null box in localCaretRect, to match test in other
implementations. Adding a manual test because the crash is not
reproducible in DRT.

* ManualTests/svg-modify-deleted-selection.svg: Added.

Source/WebCore:

Added a check for null box in localCaretRect, to match test in other
implementations. Adding a manual test because the crash is not reproducible
in DRT.

Test: ManualTests/svg-modify-deleted-selection.svg

* rendering/svg/RenderSVGInlineText.cpp:
(WebCore::RenderSVGInlineText::localCaretRect):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@105224 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/ChangeLog b/ChangeLog
index 793f8fd..4ad22de 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,16 @@
+2012-01-17  Stephen Chenney  <schenney@chromium.org>
+
+        NULL ptr in WebCore::RenderSVGInlineText::localCaretRect
+        https://bugs.webkit.org/show_bug.cgi?id=75851
+
+        Reviewed by Ryosuke Niwa.
+
+        Added a check for null box in localCaretRect, to match test in other
+        implementations. Adding a manual test because the crash is not
+        reproducible in DRT.
+
+        * ManualTests/svg-modify-deleted-selection.svg: Added.
+
 2012-01-17  Raul Hudea  <rhudea@adobe.com>
 
         Move tests out of WebCore/manual-tests to toplevel ManualTests.

diff --git a/ManualTests/svg-modify-deleted-selection.svg b/ManualTests/svg-modify-deleted-selection.svg
new file mode 100644 (file)
index 0000000..a04aec3
--- /dev/null
+++ b/ManualTests/svg-modify-deleted-selection.svg
@@ -0,0 +1,16 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+<style>
+  * {
+    border-top-style: inset
+  }
+</style>
+<script>
+  window.onclick=function() {
+    getSelection().setBaseAndExtent(document,5,document,5);
+    getSelection().deleteFromDocument();
+    getSelection().modify('extend','backward','line');
+  }
+</script>
+<text y="50" fill="green" font-size="20">Test passes if no crash on mouse click. Text may be highlighted.</text>
+<text> 1 </text>
+</svg>

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 5c5968f..6b98a2d 100644 (file)
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2012-01-17  Stephen Chenney  <schenney@chromium.org>
+
+        NULL ptr in WebCore::RenderSVGInlineText::localCaretRect
+        https://bugs.webkit.org/show_bug.cgi?id=75851
+
+        Reviewed by Ryosuke Niwa.
+
+        Added a check for null box in localCaretRect, to match test in other
+        implementations. Adding a manual test because the crash is not reproducible
+        in DRT.
+
+        Test: ManualTests/svg-modify-deleted-selection.svg
+
+        * rendering/svg/RenderSVGInlineText.cpp:
+        (WebCore::RenderSVGInlineText::localCaretRect):
+
 2012-01-17  Caio Marcelo de Oliveira Filho  <caio.oliveira@openbossa.org>
 
         Uint8ClampedArray support

diff --git a/Source/WebCore/rendering/svg/RenderSVGInlineText.cpp b/Source/WebCore/rendering/svg/RenderSVGInlineText.cpp
index 224a49d..74facc3 100644 (file)
--- a/Source/WebCore/rendering/svg/RenderSVGInlineText.cpp
+++ b/Source/WebCore/rendering/svg/RenderSVGInlineText.cpp
@@ -138,7 +138,7 @@ InlineTextBox* RenderSVGInlineText::createTextBox()
 
 LayoutRect RenderSVGInlineText::localCaretRect(InlineBox* box, int caretOffset, LayoutUnit*)
 {
-    if (!box->isInlineTextBox())
+    if (!box || !box->isInlineTextBox())
         return LayoutRect();
 
     InlineTextBox* textBox = static_cast<InlineTextBox*>(box);