[webkit-changes] [294281] trunk/Source/WebCore

Mon, 16 May 2022 16:59:32 -0700

Title: [294281] trunk/Source/WebCore
Revision
294281
Author
gnavamar...@apple.com
Date
2022-05-16 16:58:42 -0700 (Mon, 16 May 2022)

Log Message

Crash in WebCore::InsertTextCommand::positionInsideTextNode
https://bugs.webkit.org/show_bug.cgi?id=240480

Reviewed by Ryosuke Niwa.

Calling pushAnchorElementDown in CompositeEditCommand::positionAvoidingSpecialElementBoundary can
end up removing the startPosition's container node which leaves an invalid endingSelection.

InsertTextCommand::doApply requires a real endingSelection, so we should check if this occurred and bail out.

* editing/InsertTextCommand.cpp:
(WebCore::InsertTextCommand::doApply):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (294280 => 294281)


--- trunk/Source/WebCore/ChangeLog	2022-05-16 23:44:54 UTC (rev 294280)
+++ trunk/Source/WebCore/ChangeLog	2022-05-16 23:58:42 UTC (rev 294281)
@@ -1,3 +1,18 @@
+2022-05-16  Gabriel Nava Marino  <gnavamar...@apple.com>
+
+        Crash in WebCore::InsertTextCommand::positionInsideTextNode
+        https://bugs.webkit.org/show_bug.cgi?id=240480
+
+        Reviewed by Ryosuke Niwa.
+
+        Calling pushAnchorElementDown in CompositeEditCommand::positionAvoidingSpecialElementBoundary can
+        end up removing the startPosition's container node which leaves an invalid endingSelection.
+
+        InsertTextCommand::doApply requires a real endingSelection, so we should check if this occurred and bail out.
+
+        * editing/InsertTextCommand.cpp:
+        (WebCore::InsertTextCommand::doApply):
+
 2022-05-16  Said Abou-Hallawa  <s...@apple.com>
 
         REGRESSION(r249162): CanvasRenderingContext2DBase::drawImage() crashes if the image is animated and the first frame cannot be decoded

Modified: trunk/Source/WebCore/editing/InsertTextCommand.cpp (294280 => 294281)


--- trunk/Source/WebCore/editing/InsertTextCommand.cpp	2022-05-16 23:44:54 UTC (rev 294280)
+++ trunk/Source/WebCore/editing/InsertTextCommand.cpp	2022-05-16 23:58:42 UTC (rev 294281)
@@ -182,7 +182,9 @@
         startPosition = startPosition.downstream();
     
     startPosition = positionAvoidingSpecialElementBoundary(startPosition);
-    
+    if (endingSelection().isNoneOrOrphaned())
+        return;
+
     Position endPosition;
     
     if (m_text == "\t") {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to