- Revision
- 238375
- Author
- wenson_hs...@apple.com
- Date
- 2018-11-19 08:31:22 -0800 (Mon, 19 Nov 2018)
Log Message
Dragging image with a border-image larger than the image element crashes
https://bugs.webkit.org/show_bug.cgi?id=191817
<rdar://problem/46159222>
Reviewed by Ryosuke Niwa.
Source/WebCore:
When dragging an image element, if the image element has:
(1) box-sizing: border-box;
(2) a border-image
(3) a border-top-width that is at least as large as the height of the element and/or a border-left-width that is
at least as large as the width of the element
...then upon drag, we will fail to create a suitable drag image using the bounding box of the image element
since the size is empty, thereby causing a crash. To fix this, we bail out of this bounding-rect-dependent
codepath for generating a drag image in the case where the bounding rect is empty, and instead fall back to an
icon representation for the drag image.
Test: fast/events/drag-image-with-border-image.html
* page/DragController.cpp:
(WebCore::DragController::doImageDrag):
LayoutTests:
Verifies that an image that meets the pathological criteria described in Source/WebCore/ChangeLog can still be
dragged and dropped into an editable area.
* fast/events/drag-image-with-border-image.html: Added.
* platform/gtk/TestExpectations:
* platform/ios/TestExpectations:
* platform/mac-wk2/TestExpectations:
* platform/wpe/TestExpectations:
Enable this test only in WebKit1.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (238374 => 238375)
--- trunk/LayoutTests/ChangeLog 2018-11-19 16:26:42 UTC (rev 238374)
+++ trunk/LayoutTests/ChangeLog 2018-11-19 16:31:22 UTC (rev 238375)
@@ -1,3 +1,22 @@
+2018-11-19 Wenson Hsieh <wenson_hs...@apple.com>
+
+ Dragging image with a border-image larger than the image element crashes
+ https://bugs.webkit.org/show_bug.cgi?id=191817
+ <rdar://problem/46159222>
+
+ Reviewed by Ryosuke Niwa.
+
+ Verifies that an image that meets the pathological criteria described in Source/WebCore/ChangeLog can still be
+ dragged and dropped into an editable area.
+
+ * fast/events/drag-image-with-border-image.html: Added.
+ * platform/gtk/TestExpectations:
+ * platform/ios/TestExpectations:
+ * platform/mac-wk2/TestExpectations:
+ * platform/wpe/TestExpectations:
+
+ Enable this test only in WebKit1.
+
2018-11-18 Yusuke Suzuki <yusukesuz...@slowstart.org>
Unreviewed, rolling in the rest of r237254
Added: trunk/LayoutTests/fast/events/drag-image-with-border-image-expected.txt (0 => 238375)
--- trunk/LayoutTests/fast/events/drag-image-with-border-image-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/events/drag-image-with-border-image-expected.txt 2018-11-19 16:31:22 UTC (rev 238375)
@@ -0,0 +1,10 @@
+PASS receivedDropEvent is true
+PASS !!destination.querySelector("img") is true
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
+
+This test verifies that the web process does not crash when dragging an image element with a border image whose dimensions exceeds the dimensions of the image element itself. To manually test, try to drag the contents of the solid red box; the web process should not crash, and dropping into the green editable area should insert an image.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
Added: trunk/LayoutTests/fast/events/drag-image-with-border-image.html (0 => 238375)
--- trunk/LayoutTests/fast/events/drag-image-with-border-image.html (rev 0)
+++ trunk/LayoutTests/fast/events/drag-image-with-border-image.html 2018-11-19 16:31:22 UTC (rev 238375)
@@ -0,0 +1,55 @@
+<html>
+<head>
+<script src=""
+<style>
+img {
+ border-image: url(./resources/abe.png);
+ border-top-width: 100px;
+ border-left-width: 100px;
+ box-sizing: border-box;
+}
+
+#container {
+ border: solid 1px red;
+}
+
+#destination {
+ border: dashed 1px green;
+}
+
+img, #destination, #container {
+ width: 100px;
+ height: 100px;
+}
+</style>
+</head>
+<body>
+<div id="container"><img src=""
+<div id="destination" contenteditable></div>
+<div id="description"></div>
+</body>
+<script>
+receivedDropEvent = false;
+destination.addEventListener("drop", () => receivedDropEvent = true);
+
+addEventListener("load", () => {
+ description("This test verifies that the web process does not crash when dragging an image element with a border"
+ + " image whose dimensions exceeds the dimensions of the image element itself. To manually test, try to drag the"
+ + " contents of the solid red box; the web process should not crash, and dropping into the green editable area"
+ + " should insert an image.");
+
+ if (!window.testRunner || !window.eventSender)
+ return;
+
+ testRunner.dumpAsText();
+ eventSender.mouseMoveTo(50, 50);
+ eventSender.mouseDown();
+ eventSender.leapForward(2000);
+ eventSender.mouseMoveTo(50, 150);
+ eventSender.mouseUp();
+
+ shouldBeTrue("receivedDropEvent");
+ shouldBeTrue(`!!destination.querySelector("img")`);
+});
+</script>
+</html>
Modified: trunk/LayoutTests/platform/gtk/TestExpectations (238374 => 238375)
--- trunk/LayoutTests/platform/gtk/TestExpectations 2018-11-19 16:26:42 UTC (rev 238374)
+++ trunk/LayoutTests/platform/gtk/TestExpectations 2018-11-19 16:31:22 UTC (rev 238375)
@@ -2501,6 +2501,7 @@
webkit.org/b/157179 fast/events/drag-and-drop-subframe-dataTransfer.html [ Failure Timeout ]
webkit.org/b/42194 fast/events/drag-and-drop-link.html [ Failure ]
webkit.org/b/157179 fast/events/drag-and-drop-link-into-focused-contenteditable.html [ Failure ]
+webkit.org/b/157179 fast/events/drag-image-with-border-image.html [ Failure ]
webkit.org/b/157179 fast/events/draggable-div-customdata.html [ Failure ]
webkit.org/b/157179 fast/events/draggable-div-nodata.html [ Failure ]
webkit.org/b/157179 fast/events/dropzone-001.html [ Failure Timeout ]
Modified: trunk/LayoutTests/platform/ios/TestExpectations (238374 => 238375)
--- trunk/LayoutTests/platform/ios/TestExpectations 2018-11-19 16:26:42 UTC (rev 238374)
+++ trunk/LayoutTests/platform/ios/TestExpectations 2018-11-19 16:31:22 UTC (rev 238375)
@@ -281,6 +281,7 @@
fast/events/drag-display-none-element.html [ Skip ]
fast/events/drag-file-crash.html [ Skip ]
fast/events/drag-image-filename.html [ Skip ]
+fast/events/drag-image-with-border-image.html [ Skip ]
fast/events/drag-in-frames.html [ Skip ]
fast/events/drag-and-drop-link.html [ Skip ]
fast/events/drag-and-drop-link-into-focused-contenteditable.html [ Skip ]
Modified: trunk/LayoutTests/platform/mac-wk2/TestExpectations (238374 => 238375)
--- trunk/LayoutTests/platform/mac-wk2/TestExpectations 2018-11-19 16:26:42 UTC (rev 238374)
+++ trunk/LayoutTests/platform/mac-wk2/TestExpectations 2018-11-19 16:31:22 UTC (rev 238375)
@@ -129,6 +129,7 @@
fast/events/drag-and-drop-link.html
fast/events/drag-and-drop-link-fast-multiple-times-does-not-crash.html
fast/events/drag-and-drop-link-containing-block.html
+fast/events/drag-image-with-border-image.html
fast/events/drag-in-frames.html
fast/events/drag-parent-node.html
fast/events/draggable-div-nodata.html
Modified: trunk/LayoutTests/platform/wpe/TestExpectations (238374 => 238375)
--- trunk/LayoutTests/platform/wpe/TestExpectations 2018-11-19 16:26:42 UTC (rev 238374)
+++ trunk/LayoutTests/platform/wpe/TestExpectations 2018-11-19 16:31:22 UTC (rev 238375)
@@ -158,6 +158,7 @@
fast/events/drag-dataTransferItemList-file-handling.html [ Skip ]
fast/events/drag-display-none-element.html [ Skip ]
fast/events/drag-image-filename.html [ Skip ]
+fast/events/drag-image-with-border-image.html [ Skip ]
fast/events/drag-in-frames.html [ Skip ]
fast/events/drag-outside-window.html [ Skip ]
fast/events/drag-parent-node.html [ Skip ]
Modified: trunk/Source/WebCore/ChangeLog (238374 => 238375)
--- trunk/Source/WebCore/ChangeLog 2018-11-19 16:26:42 UTC (rev 238374)
+++ trunk/Source/WebCore/ChangeLog 2018-11-19 16:31:22 UTC (rev 238375)
@@ -1,3 +1,28 @@
+2018-11-19 Wenson Hsieh <wenson_hs...@apple.com>
+
+ Dragging image with a border-image larger than the image element crashes
+ https://bugs.webkit.org/show_bug.cgi?id=191817
+ <rdar://problem/46159222>
+
+ Reviewed by Ryosuke Niwa.
+
+ When dragging an image element, if the image element has:
+
+ (1) box-sizing: border-box;
+ (2) a border-image
+ (3) a border-top-width that is at least as large as the height of the element and/or a border-left-width that is
+ at least as large as the width of the element
+
+ ...then upon drag, we will fail to create a suitable drag image using the bounding box of the image element
+ since the size is empty, thereby causing a crash. To fix this, we bail out of this bounding-rect-dependent
+ codepath for generating a drag image in the case where the bounding rect is empty, and instead fall back to an
+ icon representation for the drag image.
+
+ Test: fast/events/drag-image-with-border-image.html
+
+ * page/DragController.cpp:
+ (WebCore::DragController::doImageDrag):
+
2018-11-18 Zan Dobersek <zdober...@igalia.com>
HarfBuzzFace::CacheEntry should use 32-bit values in its HashMap
Modified: trunk/Source/WebCore/page/DragController.cpp (238374 => 238375)
--- trunk/Source/WebCore/page/DragController.cpp 2018-11-19 16:26:42 UTC (rev 238374)
+++ trunk/Source/WebCore/page/DragController.cpp 2018-11-19 16:31:22 UTC (rev 238375)
@@ -1204,7 +1204,7 @@
ImageOrientationDescription orientationDescription(element.renderer()->shouldRespectImageOrientation(), element.renderer()->style().imageOrientation());
Image* image = getImage(element);
- if (image && shouldUseCachedImageForDragImage(*image) && (dragImage = DragImage { createDragImageFromImage(image, element.renderer() ? orientationDescription : ImageOrientationDescription()) })) {
+ if (image && !layoutRect.isEmpty() && shouldUseCachedImageForDragImage(*image) && (dragImage = DragImage { createDragImageFromImage(image, element.renderer() ? orientationDescription : ImageOrientationDescription()) })) {
dragImage = DragImage { fitDragImageToMaxSize(dragImage.get(), layoutRect.size(), maxDragImageSize()) };
IntSize fittedSize = dragImageSize(dragImage.get());
