Skip to site navigation (Press enter)

[webkit-changes] [105050] trunk

commit-queue Mon, 16 Jan 2012 03:31:47 -0800

Title: [105050] trunk

Revision: 105050
Author: [email protected]
Date: 2012-01-16 03:31:38 -0800 (Mon, 16 Jan 2012)

Log Message

[crash] Renderer crashes when spell checking a disabled input field.
https://bugs.webkit.org/show_bug.cgi?id=75941


Patch by Shinya Kawanaka <[email protected]> on 2012-01-16
Reviewed by Hajime Morita.

.:

* ManualTests/editing-disabled-node-replace-crash.html: Added.

Source/WebCore:

We confirm the selection is editable before replacing text.

Tests: ManualTests/editing-disabled-node-replace-crash.html

* editing/Editor.cpp:
(WebCore::Editor::replaceSelectionWithFragment):
* editing/ReplaceSelectionCommand.cpp:
(WebCore::ReplaceSelectionCommand::doApply):

Modified Paths

trunk/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/Editor.cpp
trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp

Added Paths

trunk/ManualTests/editing-disabled-node-replace-crash.html

Diff

Modified: trunk/ChangeLog (105049 => 105050)


--- trunk/ChangeLog	2012-01-16 11:28:48 UTC (rev 105049)
+++ trunk/ChangeLog	2012-01-16 11:31:38 UTC (rev 105050)
@@ -1,3 +1,12 @@
+2012-01-16  Shinya Kawanaka  <[email protected]>
+
+        [crash] Renderer crashes when spell checking a disabled input field.
+        https://bugs.webkit.org/show_bug.cgi?id=75941
+
+        Reviewed by Hajime Morita.
+
+        * ManualTests/editing-disabled-node-replace-crash.html: Added.
+
 2012-01-13  Simon Fraser  <[email protected]>
 
         Unmatched transparency layer begin/end on a filtered element with an opacity ancestor

Added: trunk/ManualTests/editing-disabled-node-replace-crash.html (0 => 105050)


--- trunk/ManualTests/editing-disabled-node-replace-crash.html	                        (rev 0)
+++ trunk/ManualTests/editing-disabled-node-replace-crash.html	2012-01-16 11:31:38 UTC (rev 105050)
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+
+<html>
+<head>
+    <title>Replacing text should not crash.</title>
+</head>
+<body>
+    <p>Manual test for fix <a href="" 75941</a></p>
+    <p>Right click the following input text, and replace the misspelled text [zz] to something.</p>
+    <p>Renderer should not crash in that operation.</p>
+    <input id="input" disabled value="zz">
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (105049 => 105050)


--- trunk/Source/WebCore/ChangeLog	2012-01-16 11:28:48 UTC (rev 105049)
+++ trunk/Source/WebCore/ChangeLog	2012-01-16 11:31:38 UTC (rev 105050)
@@ -1,3 +1,19 @@
+2012-01-16  Shinya Kawanaka  <[email protected]>
+
+        [crash] Renderer crashes when spell checking a disabled input field.
+        https://bugs.webkit.org/show_bug.cgi?id=75941
+
+        Reviewed by Hajime Morita.
+
+        We confirm the selection is editable before replacing text.
+
+        Tests: ManualTests/editing-disabled-node-replace-crash.html
+
+        * editing/Editor.cpp:
+        (WebCore::Editor::replaceSelectionWithFragment):
+        * editing/ReplaceSelectionCommand.cpp:
+        (WebCore::ReplaceSelectionCommand::doApply):
+
 2012-01-16  Pablo Flouret  <[email protected]>
 
         Fix compilation errors on build-webkit --debug --no-svg --no-svg-fonts --no-svg-dom-objc-bindings on mac.

Modified: trunk/Source/WebCore/editing/Editor.cpp (105049 => 105050)


--- trunk/Source/WebCore/editing/Editor.cpp	2012-01-16 11:28:48 UTC (rev 105049)
+++ trunk/Source/WebCore/editing/Editor.cpp	2012-01-16 11:31:38 UTC (rev 105050)
@@ -400,7 +400,7 @@
 
 void Editor::replaceSelectionWithFragment(PassRefPtr<DocumentFragment> fragment, bool selectReplacement, bool smartReplace, bool matchStyle)
 {
-    if (m_frame->selection()->isNone() || !fragment)
+    if (m_frame->selection()->isNone() || !m_frame->selection()->isContentEditable() || !fragment)
         return;
 
     ReplaceSelectionCommand::CommandOptions options = ReplaceSelectionCommand::PreventNesting | ReplaceSelectionCommand::SanitizeFragment;

Modified: trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp (105049 => 105050)


--- trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp	2012-01-16 11:28:48 UTC (rev 105049)
+++ trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp	2012-01-16 11:31:38 UTC (rev 105050)
@@ -817,6 +817,9 @@
     if (!selection.isNonOrphanedCaretOrRange() || !selection.start().deprecatedNode())
         return;
 
+    if (!selection.rootEditableElement())
+        return;
+
     ReplacementFragment fragment(document(), m_documentFragment.get(), m_matchStyle, selection);
     if (performTrivialReplace(fragment))
         return;

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes