Title: [271510] trunk
- Revision
- 271510
- Author
- [email protected]
- Date
- 2021-01-14 23:14:48 -0800 (Thu, 14 Jan 2021)
Log Message
Crash from CompositeEditCommand::moveParagraphs() being passed null end
https://bugs.webkit.org/show_bug.cgi?id=220630
Patch by Julian Gonzalez <[email protected]> on 2021-01-14
Reviewed by Ryosuke Niwa.
Source/WebCore:
If the start or end VisiblePositions inside InsertListCommand::unlistifyParagraph()
are null VisiblePositions (even if they are not null Positions), passing them to the
call to moveParagraphs() at the end of the function isn't meaningful and will result
in a crash - so return early in this case.
Test: editing/inserting/paragraph-outdent-crash.html
* editing/InsertListCommand.cpp:
(WebCore::InsertListCommand::unlistifyParagraph):
LayoutTests:
Add a test to verify that the crash here is resolved, and also remove a newline
from another related test that now renders one fewer newline
(in that case, the ultimate bug is similar, so the result should be similar).
* editing/inserting/insert-list-in-iframe-in-list-expected.txt:
* editing/inserting/paragraph-outdent-crash-expected.txt: Added.
* editing/inserting/paragraph-outdent-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (271509 => 271510)
--- trunk/LayoutTests/ChangeLog 2021-01-15 05:55:48 UTC (rev 271509)
+++ trunk/LayoutTests/ChangeLog 2021-01-15 07:14:48 UTC (rev 271510)
@@ -1,3 +1,18 @@
+2021-01-14 Julian Gonzalez <[email protected]>
+
+ Crash from CompositeEditCommand::moveParagraphs() being passed null end
+ https://bugs.webkit.org/show_bug.cgi?id=220630
+
+ Reviewed by Ryosuke Niwa.
+
+ Add a test to verify that the crash here is resolved, and also remove a newline
+ from another related test that now renders one fewer newline
+ (in that case, the ultimate bug is similar, so the result should be similar).
+
+ * editing/inserting/insert-list-in-iframe-in-list-expected.txt:
+ * editing/inserting/paragraph-outdent-crash-expected.txt: Added.
+ * editing/inserting/paragraph-outdent-crash.html: Added.
+
2021-01-14 Simon Fraser <[email protected]>
[Async scrolling] Slow-scrolling reasons should not propagate across frame boundaries
Modified: trunk/LayoutTests/editing/inserting/insert-list-in-iframe-in-list-expected.txt (271509 => 271510)
--- trunk/LayoutTests/editing/inserting/insert-list-in-iframe-in-list-expected.txt 2021-01-15 05:55:48 UTC (rev 271509)
+++ trunk/LayoutTests/editing/inserting/insert-list-in-iframe-in-list-expected.txt 2021-01-15 07:14:48 UTC (rev 271510)
@@ -1,5 +1,4 @@
-
This tests that we do not crash while inserting either list.
PASS
Added: trunk/LayoutTests/editing/inserting/paragraph-outdent-crash-expected.txt (0 => 271510)
--- trunk/LayoutTests/editing/inserting/paragraph-outdent-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/inserting/paragraph-outdent-crash-expected.txt 2021-01-15 07:14:48 UTC (rev 271510)
@@ -0,0 +1,4 @@
+This tests that we do not crash while moving paragraphs.
+
+PASS
+
Added: trunk/LayoutTests/editing/inserting/paragraph-outdent-crash.html (0 => 271510)
--- trunk/LayoutTests/editing/inserting/paragraph-outdent-crash.html (rev 0)
+++ trunk/LayoutTests/editing/inserting/paragraph-outdent-crash.html 2021-01-15 07:14:48 UTC (rev 271510)
@@ -0,0 +1,35 @@
+<html>
+<head>
+<style>
+.body, #shadow { -webkit-user-modify: read-write; }
+</style>
+<script>
+function testonload() {
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ document.all[0].appendChild(lieditable);
+ listatic.before("PASS");
+ window.find("PASS", false, true, true, false);
+ document.execCommand("outdent", false);
+}
+</script>
+</head>
+<body _onload_=testonload()>
+This tests that we do not crash while moving paragraphs.
+<div><font></font></div>
+<input>
+<shadow id="shadow">
+<ul>
+<li>
+<dir>
+<li contenteditable="false" id="listatic">
+<li id="lieditable"></li>
+</li>
+</dir>
+</li>
+</ul>
+</shadow>
+</input>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (271509 => 271510)
--- trunk/Source/WebCore/ChangeLog 2021-01-15 05:55:48 UTC (rev 271509)
+++ trunk/Source/WebCore/ChangeLog 2021-01-15 07:14:48 UTC (rev 271510)
@@ -1,3 +1,20 @@
+2021-01-14 Julian Gonzalez <[email protected]>
+
+ Crash from CompositeEditCommand::moveParagraphs() being passed null end
+ https://bugs.webkit.org/show_bug.cgi?id=220630
+
+ Reviewed by Ryosuke Niwa.
+
+ If the start or end VisiblePositions inside InsertListCommand::unlistifyParagraph()
+ are null VisiblePositions (even if they are not null Positions), passing them to the
+ call to moveParagraphs() at the end of the function isn't meaningful and will result
+ in a crash - so return early in this case.
+
+ Test: editing/inserting/paragraph-outdent-crash.html
+
+ * editing/InsertListCommand.cpp:
+ (WebCore::InsertListCommand::unlistifyParagraph):
+
2021-01-14 Simon Fraser <[email protected]>
[Async scrolling] Slow-scrolling reasons should not propagate across frame boundaries
Modified: trunk/Source/WebCore/editing/InsertListCommand.cpp (271509 => 271510)
--- trunk/Source/WebCore/editing/InsertListCommand.cpp 2021-01-15 05:55:48 UTC (rev 271509)
+++ trunk/Source/WebCore/editing/InsertListCommand.cpp 2021-01-15 07:14:48 UTC (rev 271510)
@@ -299,6 +299,10 @@
previousListChild = enclosingListChild(start.previous().deepEquivalent().deprecatedNode(), listNode);
ASSERT(previousListChild != listChildNode);
}
+
+ if (start.isNull() || end.isNull())
+ return;
+
// When removing a list, we must always create a placeholder to act as a point of insertion
// for the list content being removed.
auto placeholder = HTMLBRElement::create(document());
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
