Crash inside firstPositionInNode in checkLoadCompleteForThisFrame

https://bugs.webkit.org/show_bug.cgi?id=158724 Reviewed by Alex Christensen. Added null checks for document and document element since they could be nullptr here. * loader/FrameLoader.cpp: (WebCore::FrameLoader::checkLoadCompleteForThisFrame): Canonical link: https://commits.webkit.org/176814@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@202035 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Jun 14, 2016 · 4759e3c · 4759e3c
1 parent 8906ced
commit 4759e3c
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 7 deletions.
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,15 @@
+2016-06-14  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Crash inside firstPositionInNode in checkLoadCompleteForThisFrame
+        https://bugs.webkit.org/show_bug.cgi?id=158724
+
+        Reviewed by Alex Christensen.
+
+        Added null checks for document and document element since they could be nullptr here.
+
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::checkLoadCompleteForThisFrame):
+
 2016-06-13  Gavin & Ellie Barraclough  <barraclough@apple.com>
 
         Remove hasStaticPropertyTable (part 3: JSLocation::putDelegate)

diff --git a/Source/WebCore/loader/FrameLoader.cpp b/Source/WebCore/loader/FrameLoader.cpp
@@ -2310,20 +2310,25 @@ void FrameLoader::checkLoadCompleteForThisFrame()
             } else {
                 FRAMELOADER_LOG_ALWAYS("Finished frame load without error, frame = %p, main = %d", &m_frame, m_frame.isMainFrame());
 #if ENABLE(DATA_DETECTION)
-                if (m_frame.settings().dataDetectorTypes() != DataDetectorTypeNone) {
-                    RefPtr<Range> documentRange = makeRange(firstPositionInNode(m_frame.document()->documentElement()), lastPositionInNode(m_frame.document()->documentElement()));
-                    m_frame.setDataDetectionResults(DataDetection::detectContentInRange(documentRange, m_frame.settings().dataDetectorTypes()));
-                    if (m_frame.isMainFrame())
-                        m_client.dispatchDidFinishDataDetection(m_frame.dataDetectionResults());
+                auto* document = m_frame.document();
+                if (m_frame.settings().dataDetectorTypes() != DataDetectorTypeNone && document) {
+                    if (auto* documentElement = document->documentElement()) {
+                        RefPtr<Range> documentRange = makeRange(firstPositionInNode(documentElement), lastPositionInNode(documentElement));
+                        m_frame.setDataDetectionResults(DataDetection::detectContentInRange(documentRange, m_frame.settings().dataDetectorTypes()));
+                        if (m_frame.isMainFrame())
+                            m_client.dispatchDidFinishDataDetection(m_frame.dataDetectionResults());
+                    }
                 }
 #endif
                 m_client.dispatchDidFinishLoad();
                 loadingEvent = AXObjectCache::AXLoadingFinished;
             }
 
             // Notify accessibility.
-            if (AXObjectCache* cache = m_frame.document()->existingAXObjectCache())
-                cache->frameLoadingEventNotification(&m_frame, loadingEvent);
+            if (auto* document = m_frame.document()) {
+                if (AXObjectCache* cache = document->existingAXObjectCache())
+                    cache->frameLoadingEventNotification(&m_frame, loadingEvent);
+            }
 
             // The above calls to dispatchDidFinishLoad() might have detached the Frame
             // from its Page and also might have caused Page to be deleted.