Git commit 34a28720abd48b5029067af4aaa9bcfbcd6df4e2 by Maks Orlovich. Committed on 06/02/2011 at 16:52. Pushed by orlovich into branch 'master'. Add some missing null pointer checks spotted by crossfuzz CCBUG: 262040 M +1 -1 khtml/ecma/kjs_dom.cpp M +2 -2 khtml/ecma/kjs_range.cpp M +1 -1 khtml/ecma/kjs_traversal.cpp M +5 -0 khtml/xml/dom2_rangeimpl.cpp M +1 -1 khtml/xml/dom_elementimpl.cpp http://commits.kde.org/kdelibs/34a28720abd48b5029067af4aaa9bcfbcd6df4e2 diff --git a/khtml/ecma/kjs_dom.cpp b/khtml/ecma/kjs_dom.cpp index b91a740..4fc2df7 100644 --- a/khtml/ecma/kjs_dom.cpp +++ b/khtml/ecma/kjs_dom.cpp @@ -1131,7 +1131,7 @@ JSValue* DOMDocumentProtoFunc::callAsFunction(ExecState *exec, JSObject *thisObj return getDOMEvent(exec,doc.createEvent(s, exception)); case DOMDocument::GetOverrideStyle: { DOM::NodeImpl* arg0 = toNode(args[0]); - if (!arg0->isElementNode()) + if (!arg0 || !arg0->isElementNode()) return jsUndefined(); // throw exception? else return getDOMCSSStyleDeclaration(exec,doc.getOverrideStyle(static_cast(arg0),args[1]->toString(exec).domString().implementation())); diff --git a/khtml/ecma/kjs_range.cpp b/khtml/ecma/kjs_range.cpp index 390f323..dc9840f 100644 --- a/khtml/ecma/kjs_range.cpp +++ b/khtml/ecma/kjs_range.cpp @@ -332,7 +332,7 @@ JSValue* DOMSelectionProtoFunc::callAsFunction(ExecState *exec, JSObject *thisOb case DOMSelection::Collapsed: { DOM::NodeImpl* node = toNode(args[0]); int offset = args[1]->toInt32(exec); - if (node->document() == self->m_document) + if (node && node->document() == self->m_document) self->m_document->part()->setCaret(DOM::Selection(DOM::Position(node, offset))); else setDOMException(exec, DOMException::WRONG_DOCUMENT_ERR); @@ -359,7 +359,7 @@ JSValue* DOMSelectionProtoFunc::callAsFunction(ExecState *exec, JSObject *thisOb case DOMSelection::SelectAllChildren: { DOM::NodeImpl* node = toNode(args[0]); - if (node->document() == self->m_document) { + if (node && node->document() == self->m_document) { DOM::RangeImpl* range = new DOM::RangeImpl(self->m_document); range->selectNodeContents(node, exception); self->m_document->part()->setCaret(DOM::Selection(DOM::Range(range))); diff --git a/khtml/ecma/kjs_traversal.cpp b/khtml/ecma/kjs_traversal.cpp index a315d9f..5f37658 100644 --- a/khtml/ecma/kjs_traversal.cpp +++ b/khtml/ecma/kjs_traversal.cpp @@ -294,7 +294,7 @@ DOM::NodeFilterImpl* KJS::toNodeFilter(JSValue *val) JSValue *KJS::getDOMNodeFilter(ExecState *exec, DOM::NodeFilterImpl* nf) { Q_UNUSED(exec); - if (nf->isJSFilter()) { + if (nf && nf->isJSFilter()) { return static_cast(nf)->filter(); } diff --git a/khtml/xml/dom2_rangeimpl.cpp b/khtml/xml/dom2_rangeimpl.cpp index 2a09db7..1a555e1 100644 --- a/khtml/xml/dom2_rangeimpl.cpp +++ b/khtml/xml/dom2_rangeimpl.cpp @@ -723,6 +723,11 @@ void RangeImpl::insertNode( NodeImpl *newNode, int &exceptioncode ) exceptioncode = DOMException::INVALID_STATE_ERR; return; } + + if (!newNode) { + exceptioncode = DOMException::NOT_FOUND_ERR; + return; + } // NO_MODIFICATION_ALLOWED_ERR: Raised if an ancestor container of either boundary-point of // the Range is read-only. diff --git a/khtml/xml/dom_elementimpl.cpp b/khtml/xml/dom_elementimpl.cpp index a576f97..2a90072 100644 --- a/khtml/xml/dom_elementimpl.cpp +++ b/khtml/xml/dom_elementimpl.cpp @@ -1481,7 +1481,7 @@ Node NamedAttrMapImpl::removeNamedItem(NodeImpl::Id id, const PrefixName& prefix Node NamedAttrMapImpl::setNamedItem(NodeImpl* arg, const PrefixName& prefix, bool nsAware, int &exceptioncode ) { - if (!m_element) { + if (!m_element || !arg) { exceptioncode = DOMException::NOT_FOUND_ERR; return 0; }