Title: [259153] trunk
- Revision
- 259153
- Author
- [email protected]
- Date
- 2020-03-27 21:17:00 -0700 (Fri, 27 Mar 2020)
Log Message
Nullptr crash in CompositeEditCommand::moveParagraphs when inserting OL into uneditable parent.
https://bugs.webkit.org/show_bug.cgi?id=209641
<rdar://problem/60915598>
Reviewed by Ryosuke Niwa.
Source/WebCore:
Inserting BR in unlistifyParagraph() or OL/UL in listifyParagraph() would fail
because their insertion position is uneditable. In this case BR/OL/UL becomes
parentless and the code crashes later when their parent is dereferenced in
moveParagraphs().
In unlistifyParagraph(), only insertNodeBefore() and insertNodeAfter() are used
and both check parent of listNode for editability, so in order to avoid assertion
in the above functions, we check the editability of listNode before insertion.
In listifyParagraph() it is hard to predict where the final insertion position would be,
so we check the editability of the insertion position after it is finalized.
Test: editing/inserting/insert-ol-uneditable-parent.html
* editing/InsertListCommand.cpp:
(WebCore::InsertListCommand::unlistifyParagraph):
(WebCore::InsertListCommand::listifyParagraph):
LayoutTests:
Added a regression test for the crash.
* editing/inserting/insert-ol-uneditable-parent-expected.txt: Added.
* editing/inserting/insert-ol-uneditable-parent.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (259152 => 259153)
--- trunk/LayoutTests/ChangeLog 2020-03-28 04:00:36 UTC (rev 259152)
+++ trunk/LayoutTests/ChangeLog 2020-03-28 04:17:00 UTC (rev 259153)
@@ -1,3 +1,16 @@
+2020-03-27 Jack Lee <[email protected]>
+
+ Nullptr crash in CompositeEditCommand::moveParagraphs when inserting OL into uneditable parent.
+ https://bugs.webkit.org/show_bug.cgi?id=209641
+ <rdar://problem/60915598>
+
+ Reviewed by Ryosuke Niwa.
+
+ Added a regression test for the crash.
+
+ * editing/inserting/insert-ol-uneditable-parent-expected.txt: Added.
+ * editing/inserting/insert-ol-uneditable-parent.html: Added.
+
2020-03-27 Eugene But <[email protected]>
Test for RenderBox::styleDidChange crash fix
Added: trunk/LayoutTests/editing/inserting/insert-ol-uneditable-parent-expected.txt (0 => 259153)
--- trunk/LayoutTests/editing/inserting/insert-ol-uneditable-parent-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-ol-uneditable-parent-expected.txt 2020-03-28 04:17:00 UTC (rev 259153)
@@ -0,0 +1 @@
+Test insering an ol into uneditable parent. The test passes if WebKit doesn't crash or hit an assertion.
Added: trunk/LayoutTests/editing/inserting/insert-ol-uneditable-parent.html (0 => 259153)
--- trunk/LayoutTests/editing/inserting/insert-ol-uneditable-parent.html (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-ol-uneditable-parent.html 2020-03-28 04:17:00 UTC (rev 259153)
@@ -0,0 +1,10 @@
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ window._onload_ = () => {
+ document.getSelection().setPosition(LI);
+ document.execCommand("insertOrderedList", false);
+ }
+</script>
+<body><ul><li id=LI contenteditable="true"><span>Test insering an ol into uneditable parent. The test passes if WebKit doesn't crash or hit an assertion.</span>
Modified: trunk/Source/WebCore/ChangeLog (259152 => 259153)
--- trunk/Source/WebCore/ChangeLog 2020-03-28 04:00:36 UTC (rev 259152)
+++ trunk/Source/WebCore/ChangeLog 2020-03-28 04:17:00 UTC (rev 259153)
@@ -1,3 +1,27 @@
+2020-03-27 Jack Lee <[email protected]>
+
+ Nullptr crash in CompositeEditCommand::moveParagraphs when inserting OL into uneditable parent.
+ https://bugs.webkit.org/show_bug.cgi?id=209641
+ <rdar://problem/60915598>
+
+ Reviewed by Ryosuke Niwa.
+
+ Inserting BR in unlistifyParagraph() or OL/UL in listifyParagraph() would fail
+ because their insertion position is uneditable. In this case BR/OL/UL becomes
+ parentless and the code crashes later when their parent is dereferenced in
+ moveParagraphs().
+ In unlistifyParagraph(), only insertNodeBefore() and insertNodeAfter() are used
+ and both check parent of listNode for editability, so in order to avoid assertion
+ in the above functions, we check the editability of listNode before insertion.
+ In listifyParagraph() it is hard to predict where the final insertion position would be,
+ so we check the editability of the insertion position after it is finalized.
+
+ Test: editing/inserting/insert-ol-uneditable-parent.html
+
+ * editing/InsertListCommand.cpp:
+ (WebCore::InsertListCommand::unlistifyParagraph):
+ (WebCore::InsertListCommand::listifyParagraph):
+
2020-03-27 Eugene But <[email protected]>
Fix null pointer crash in RenderBox::styleDidChange
Modified: trunk/Source/WebCore/editing/InsertListCommand.cpp (259152 => 259153)
--- trunk/Source/WebCore/editing/InsertListCommand.cpp 2020-03-28 04:00:36 UTC (rev 259152)
+++ trunk/Source/WebCore/editing/InsertListCommand.cpp 2020-03-28 04:17:00 UTC (rev 259153)
@@ -275,6 +275,10 @@
Node* previousListChild;
VisiblePosition start;
VisiblePosition end;
+
+ if (!listNode->parentNode()->hasEditableStyle())
+ return;
+
if (listChildNode->hasTagName(liTag)) {
start = firstPositionInNode(listChildNode);
end = lastPositionInNode(listChildNode);
@@ -390,6 +394,9 @@
if (listChild && listChild->hasTagName(liTag))
insertionPos = positionInParentBeforeNode(listChild);
+ if (!isEditablePosition(insertionPos))
+ return 0;
+
insertNodeAt(*listElement, insertionPos);
// We inserted the list at the start of the content we're about to move
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
