[webkit-changes] [282074] trunk

Tue, 07 Sep 2021 00:07:15 -0700

Title: [282074] trunk
Revision
282074
Author
commit-qu...@webkit.org
Date
2021-09-07 00:06:26 -0700 (Tue, 07 Sep 2021)

Log Message

Nullptr crash in CSSValue::cssText() via DeleteSelectionCommand::calculateTypingStyleAfterDelete
https://bugs.webkit.org/show_bug.cgi?id=229281

Patch by Rob Buis <rb...@igalia.com> on 2021-09-07
Reviewed by Ryosuke Niwa.

Source/WebCore:

Null check the CSSValue in EditingStyle::init.

Test: editing/deleting/forward-delete-crash.html

* editing/EditingStyle.cpp:
(WebCore::EditingStyle::init):

LayoutTests:

* editing/deleting/forward-delete-crash-expected.txt: Added.
* editing/deleting/forward-delete-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (282073 => 282074)


--- trunk/LayoutTests/ChangeLog	2021-09-07 06:34:35 UTC (rev 282073)
+++ trunk/LayoutTests/ChangeLog	2021-09-07 07:06:26 UTC (rev 282074)
@@ -1,3 +1,13 @@
+2021-09-07  Rob Buis  <rb...@igalia.com>
+
+        Nullptr crash in CSSValue::cssText() via DeleteSelectionCommand::calculateTypingStyleAfterDelete
+        https://bugs.webkit.org/show_bug.cgi?id=229281
+
+        Reviewed by Ryosuke Niwa.
+
+        * editing/deleting/forward-delete-crash-expected.txt: Added.
+        * editing/deleting/forward-delete-crash.html: Added.
+
 2021-09-06  Antti Koivisto  <an...@apple.com>
 
         Add layout test for performance of adding children to a shadow host

Added: trunk/LayoutTests/editing/deleting/forward-delete-crash-expected.txt (0 => 282074)


--- trunk/LayoutTests/editing/deleting/forward-delete-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/deleting/forward-delete-crash-expected.txt	2021-09-07 07:06:26 UTC (rev 282074)
@@ -0,0 +1 @@
+Test passes if it does not crash.

Added: trunk/LayoutTests/editing/deleting/forward-delete-crash.html (0 => 282074)


--- trunk/LayoutTests/editing/deleting/forward-delete-crash.html	                        (rev 0)
+++ trunk/LayoutTests/editing/deleting/forward-delete-crash.html	2021-09-07 07:06:26 UTC (rev 282074)
@@ -0,0 +1,43 @@
+<style>
+  :last-of-type {
+    height: 1px;
+    display: block;
+  }
+@font-face {
+    font-family: "Ahem";
+    src: url("../../resources/Ahem.ttf");
+}
+</style>
+<script>
+  if (window.testRunner) {
+    window.testRunner.dumpAsText();
+    window.testRunner.waitUntilDone();
+  }
+  _onload_ = async () => {
+    document.designMode = 'on';
+    let img0 = document.createElement('img');
+    img0._onerror_ = () => {
+      document.execCommand('ForwardDelete');
+      setTimeout(function() { window.testRunner.notifyDone(); }, 0);
+      document.write("Test passes if it does not crash.");
+    };
+    let datalist0 = document.createElement('datalist');
+    document.head.appendChild(datalist0);
+    document.head.appendChild(document.createElement('datalist'));
+    img0.src = '';
+    let embed0 = document.createElement('embed');
+    embed0.src = '';
+    datalist0.appendChild(embed0);
+    if (navigator.platform.indexOf('Mac') == 0 && window.caches)
+      await caches.has('a');
+    else
+      await document.fonts.load("80px Ahem");
+    img0.src = '';
+    getSelection().selectAllChildren(datalist0);
+    if (navigator.platform.indexOf('Mac') == 0 && window.caches)
+      await caches.has('a');
+    else
+      await document.fonts.load("80px Ahem");
+    document.execCommand('Delete');
+  };
+</script>

Modified: trunk/Source/WebCore/ChangeLog (282073 => 282074)


--- trunk/Source/WebCore/ChangeLog	2021-09-07 06:34:35 UTC (rev 282073)
+++ trunk/Source/WebCore/ChangeLog	2021-09-07 07:06:26 UTC (rev 282074)
@@ -1,3 +1,17 @@
+2021-09-07  Rob Buis  <rb...@igalia.com>
+
+        Nullptr crash in CSSValue::cssText() via DeleteSelectionCommand::calculateTypingStyleAfterDelete
+        https://bugs.webkit.org/show_bug.cgi?id=229281
+
+        Reviewed by Ryosuke Niwa.
+
+        Null check the CSSValue in EditingStyle::init.
+
+        Test: editing/deleting/forward-delete-crash.html
+
+        * editing/EditingStyle.cpp:
+        (WebCore::EditingStyle::init):
+
 2021-09-06  Alan Bujtas  <za...@apple.com>
 
         [LFC][Integration] Remove redundant NonRootInlineBox

Modified: trunk/Source/WebCore/editing/EditingStyle.cpp (282073 => 282074)


--- trunk/Source/WebCore/editing/EditingStyle.cpp	2021-09-07 06:34:35 UTC (rev 282073)
+++ trunk/Source/WebCore/editing/EditingStyle.cpp	2021-09-07 07:06:26 UTC (rev 282074)
@@ -477,8 +477,10 @@
     if (node && node->computedStyle()) {
         auto* renderStyle = node->computedStyle();
         removeTextFillAndStrokeColorsIfNeeded(renderStyle);
-        if (renderStyle->fontDescription().keywordSize())
-            m_mutableStyle->setProperty(CSSPropertyFontSize, computedStyleAtPosition.getFontSizeCSSValuePreferringKeyword()->cssText());
+        if (renderStyle->fontDescription().keywordSize()) {
+            if (auto cssValue = computedStyleAtPosition.getFontSizeCSSValuePreferringKeyword())
+                m_mutableStyle->setProperty(CSSPropertyFontSize, cssValue->cssText());
+        }
     }
 
     m_shouldUseFixedDefaultFontSize = computedStyleAtPosition.useFixedFontDefaultSize();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to