[webkit-changes] [273302] trunk

Tue, 23 Feb 2021 04:29:00 -0800

Title: [273302] trunk
Revision
273302
Author
[email protected]
Date
2021-02-23 04:28:20 -0800 (Tue, 23 Feb 2021)

Log Message

Nullptr crash in ModifySelectionListLevelCommand::appendSiblingNodeRange
https://bugs.webkit.org/show_bug.cgi?id=221650

Patch by Frederic Wang <[email protected]> on 2021-02-23
Reviewed by Ryosuke Niwa.

Source/WebCore:

getStartEndListChildren relies on the render tree to move the "end" node to the next sibling,
but this does not necessarily correspond to a sibling of the "start" node in the DOM tree.
This breaks the assumption of ModifySelectionListLevelCommand::appendSiblingNodeRange that
the "start" and "end" nodes are siblings (in that order), causing a null-pointer dereference.
This patch fixes the issue by ensuring that getStartEndListChildren does not try to change
the "end" node if it is not a sibling of the "start" one.

Test: fast/editing/modify-selection-list-level-crash.html

* editing/ModifySelectionListLevel.cpp:
(WebCore::getStartEndListChildren): Don't change the end node if r->node() is a sibling of
startChildList.

LayoutTests:

* fast/editing/modify-selection-list-level-crash-expected.txt: Added.
* fast/editing/modify-selection-list-level-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (273301 => 273302)


--- trunk/LayoutTests/ChangeLog	2021-02-23 08:58:30 UTC (rev 273301)
+++ trunk/LayoutTests/ChangeLog	2021-02-23 12:28:20 UTC (rev 273302)
@@ -1,3 +1,13 @@
+2021-02-23  Frederic Wang  <[email protected]>
+
+        Nullptr crash in ModifySelectionListLevelCommand::appendSiblingNodeRange
+        https://bugs.webkit.org/show_bug.cgi?id=221650
+
+        Reviewed by Ryosuke Niwa.
+
+        * fast/editing/modify-selection-list-level-crash-expected.txt: Added.
+        * fast/editing/modify-selection-list-level-crash.html: Added.
+
 2021-02-23  Kimmo Kinnunen  <[email protected]>
 
         HTMLCanvasElement::copiedImage() contains old image with GPU Process on

Added: trunk/LayoutTests/fast/editing/modify-selection-list-level-crash-expected.txt (0 => 273302)


--- trunk/LayoutTests/fast/editing/modify-selection-list-level-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/editing/modify-selection-list-level-crash-expected.txt	2021-02-23 12:28:20 UTC (rev 273302)
@@ -0,0 +1,2 @@
+This test passes if it does not crash.
+

Added: trunk/LayoutTests/fast/editing/modify-selection-list-level-crash.html (0 => 273302)


--- trunk/LayoutTests/fast/editing/modify-selection-list-level-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/editing/modify-selection-list-level-crash.html	2021-02-23 12:28:20 UTC (rev 273302)
@@ -0,0 +1,13 @@
+<script>
+  if (window.testRunner)
+      testRunner.dumpAsText();
+  _onload_ = () => {
+    document.execCommand('SelectAll');
+    document.designMode = 'on';
+    document.execCommand('InsertNestedOrderedList');
+  };
+</script>
+<slot>
+  <li>This test passes if it does not crash.</li>
+</slot>
+<ol></ol>

Modified: trunk/Source/WebCore/ChangeLog (273301 => 273302)


--- trunk/Source/WebCore/ChangeLog	2021-02-23 08:58:30 UTC (rev 273301)
+++ trunk/Source/WebCore/ChangeLog	2021-02-23 12:28:20 UTC (rev 273302)
@@ -1,3 +1,23 @@
+2021-02-23  Frederic Wang  <[email protected]>
+
+        Nullptr crash in ModifySelectionListLevelCommand::appendSiblingNodeRange
+        https://bugs.webkit.org/show_bug.cgi?id=221650
+
+        Reviewed by Ryosuke Niwa.
+
+        getStartEndListChildren relies on the render tree to move the "end" node to the next sibling,
+        but this does not necessarily correspond to a sibling of the "start" node in the DOM tree.
+        This breaks the assumption of ModifySelectionListLevelCommand::appendSiblingNodeRange that
+        the "start" and "end" nodes are siblings (in that order), causing a null-pointer dereference.
+        This patch fixes the issue by ensuring that getStartEndListChildren does not try to change
+        the "end" node if it is not a sibling of the "start" one.
+
+        Test: fast/editing/modify-selection-list-level-crash.html
+
+        * editing/ModifySelectionListLevel.cpp:
+        (WebCore::getStartEndListChildren): Don't change the end node if r->node() is a sibling of
+        startChildList.
+
 2021-02-23  Ryosuke Niwa  <[email protected]>
 
         Handle Page::didFinishLoadingImageForElement asynchronously

Modified: trunk/Source/WebCore/editing/ModifySelectionListLevel.cpp (273301 => 273302)


--- trunk/Source/WebCore/editing/ModifySelectionListLevel.cpp	2021-02-23 08:58:30 UTC (rev 273301)
+++ trunk/Source/WebCore/editing/ModifySelectionListLevel.cpp	2021-02-23 12:28:20 UTC (rev 273302)
@@ -80,7 +80,7 @@
     // if the selection ends on a list item with a sublist, include the entire sublist
     if (endListChild->renderer()->isListItem()) {
         RenderObject* r = endListChild->renderer()->nextSibling();
-        if (r && isListHTMLElement(r->node()))
+        if (r && isListHTMLElement(r->node()) && r->node()->parentNode() == startListChild->parentNode())
             endListChild = r->node();
     }
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to