Title: [272483] trunk/Source/WebCore
- Revision
- 272483
- Author
- [email protected]
- Date
- 2021-02-08 01:12:48 -0800 (Mon, 08 Feb 2021)
Log Message
Nullptr crash in editingIgnoresContent via InsertParagraphSeparatorCommand::doApply
https://bugs.webkit.org/show_bug.cgi?id=220349
Patch by Carlos Garcia Campos <[email protected]> on 2021-02-08
Reviewed by Ryosuke Niwa.
Add an early return to InsertParagraphSeparatorCommand::doApply if insert position is null.
* editing/CompositeEditCommand.cpp:
(WebCore::CompositeEditCommand::insertNodeBefore): Return early if a InsertNodeBeforeCommand can't be created.
* editing/InsertParagraphSeparatorCommand.cpp:
(WebCore::InsertParagraphSeparatorCommand::doApply): Abort the insertion if the insert position is null.
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (272482 => 272483)
--- trunk/Source/WebCore/ChangeLog 2021-02-08 09:00:51 UTC (rev 272482)
+++ trunk/Source/WebCore/ChangeLog 2021-02-08 09:12:48 UTC (rev 272483)
@@ -1,3 +1,17 @@
+2021-02-08 Carlos Garcia Campos <[email protected]>
+
+ Nullptr crash in editingIgnoresContent via InsertParagraphSeparatorCommand::doApply
+ https://bugs.webkit.org/show_bug.cgi?id=220349
+
+ Reviewed by Ryosuke Niwa.
+
+ Add an early return to InsertParagraphSeparatorCommand::doApply if insert position is null.
+
+ * editing/CompositeEditCommand.cpp:
+ (WebCore::CompositeEditCommand::insertNodeBefore): Return early if a InsertNodeBeforeCommand can't be created.
+ * editing/InsertParagraphSeparatorCommand.cpp:
+ (WebCore::InsertParagraphSeparatorCommand::doApply): Abort the insertion if the insert position is null.
+
2021-02-08 Philippe Normand <[email protected]>
Permission request API for MediaKeySystem access support
Modified: trunk/Source/WebCore/editing/CompositeEditCommand.cpp (272482 => 272483)
--- trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2021-02-08 09:00:51 UTC (rev 272482)
+++ trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2021-02-08 09:12:48 UTC (rev 272483)
@@ -530,6 +530,9 @@
void CompositeEditCommand::insertNodeBefore(Ref<Node>&& insertChild, Node& refChild, ShouldAssumeContentIsAlwaysEditable shouldAssumeContentIsAlwaysEditable)
{
+ auto* parent = refChild.parentNode();
+ if (!parent || (!parent->hasEditableStyle() && parent->renderer()))
+ return;
applyCommandToComposite(InsertNodeBeforeCommand::create(WTFMove(insertChild), refChild, shouldAssumeContentIsAlwaysEditable, editingAction()));
}
Modified: trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp (272482 => 272483)
--- trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp 2021-02-08 09:00:51 UTC (rev 272482)
+++ trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp 2021-02-08 09:12:48 UTC (rev 272483)
@@ -303,9 +303,10 @@
// content will move down a line.
if (isStartOfParagraph(visiblePos)) {
auto br = HTMLBRElement::create(document());
- auto* brPtr = br.ptr();
- insertNodeAt(WTFMove(br), insertionPosition);
- insertionPosition = positionInParentAfterNode(brPtr);
+ insertNodeAt(br.copyRef(), insertionPosition);
+ if (!br->parentNode())
+ return;
+ insertionPosition = positionInParentAfterNode(br.ptr());
// If the insertion point is a break element, there is nothing else
// we need to do.
if (visiblePos.deepEquivalent().anchorNode()->renderer()->isBR()) {
@@ -322,6 +323,8 @@
// all of the correct nodes when building the ancestor list. So this needs to be the deepest representation of the position
// before we walk the DOM tree.
insertionPosition = positionOutsideTabSpan(VisiblePosition(insertionPosition).deepEquivalent());
+ if (insertionPosition.isNull())
+ return;
// If the returned position lies either at the end or at the start of an element that is ignored by editing
// we should move to its upstream or downstream position.
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
