Title: [274200] trunk
- Revision
- 274200
- Author
- [email protected]
- Date
- 2021-03-09 23:03:36 -0800 (Tue, 09 Mar 2021)
Log Message
Nullptr crash in Node::isTextNode() via ApplyBlockElementCommand::endOfNextParagraphSplittingTextNodesIfNeeded
https://bugs.webkit.org/show_bug.cgi?id=222620
Patch by Venky Dass <[email protected]> on 2021-03-09
Reviewed by Ryosuke Niwa.
Source/WebCore:
When a text node does not have a previous sibling there is a crash. The fix is to check if there is a previous sibling
before we try to de-reference it.
Test: editing/inserting/indent-split-text-not-having-previous-sibling-crash.html
* editing/ApplyBlockElementCommand.cpp:
(WebCore::ApplyBlockElementCommand::endOfNextParagraphSplittingTextNodesIfNeeded):
LayoutTests:
Adding a regression test.
* editing/inserting/indent-split-text-not-having-previous-sibling-crash-expected.txt: Added.
* editing/inserting/indent-split-text-not-having-previous-sibling-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (274199 => 274200)
--- trunk/LayoutTests/ChangeLog 2021-03-10 06:39:48 UTC (rev 274199)
+++ trunk/LayoutTests/ChangeLog 2021-03-10 07:03:36 UTC (rev 274200)
@@ -1,3 +1,15 @@
+2021-03-09 Venky Dass <[email protected]>
+
+ Nullptr crash in Node::isTextNode() via ApplyBlockElementCommand::endOfNextParagraphSplittingTextNodesIfNeeded
+ https://bugs.webkit.org/show_bug.cgi?id=222620
+
+ Reviewed by Ryosuke Niwa.
+
+ Adding a regression test.
+
+ * editing/inserting/indent-split-text-not-having-previous-sibling-crash-expected.txt: Added.
+ * editing/inserting/indent-split-text-not-having-previous-sibling-crash.html: Added.
+
2021-03-09 Ryosuke Niwa <[email protected]>
Unreviewed, reverting r274054.
Added: trunk/LayoutTests/editing/inserting/indent-split-text-not-having-previous-sibling-crash-expected.txt (0 => 274200)
--- trunk/LayoutTests/editing/inserting/indent-split-text-not-having-previous-sibling-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/inserting/indent-split-text-not-having-previous-sibling-crash-expected.txt 2021-03-10 07:03:36 UTC (rev 274200)
@@ -0,0 +1 @@
+ This tests indenting non-editable content. WebKit should not crash.
Added: trunk/LayoutTests/editing/inserting/indent-split-text-not-having-previous-sibling-crash.html (0 => 274200)
--- trunk/LayoutTests/editing/inserting/indent-split-text-not-having-previous-sibling-crash.html (rev 0)
+++ trunk/LayoutTests/editing/inserting/indent-split-text-not-having-previous-sibling-crash.html 2021-03-10 07:03:36 UTC (rev 274200)
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html contenteditable=true>
+<script>
+function main() {
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ document.execCommand("selectAll",false,null);
+ document.documentElement.replaceChild(x4, document.body);
+ document.execCommand("indent",false,null);
+}
+</script>
+<body _onload_="main()">
+<span id="x4" style="white-space: pre-line" contenteditable=false>
+This tests indenting non-editable content. WebKit should not crash.
Modified: trunk/Source/WebCore/ChangeLog (274199 => 274200)
--- trunk/Source/WebCore/ChangeLog 2021-03-10 06:39:48 UTC (rev 274199)
+++ trunk/Source/WebCore/ChangeLog 2021-03-10 07:03:36 UTC (rev 274200)
@@ -1,3 +1,18 @@
+2021-03-09 Venky Dass <[email protected]>
+
+ Nullptr crash in Node::isTextNode() via ApplyBlockElementCommand::endOfNextParagraphSplittingTextNodesIfNeeded
+ https://bugs.webkit.org/show_bug.cgi?id=222620
+
+ Reviewed by Ryosuke Niwa.
+
+ When a text node does not have a previous sibling there is a crash. The fix is to check if there is a previous sibling
+ before we try to de-reference it.
+
+ Test: editing/inserting/indent-split-text-not-having-previous-sibling-crash.html
+
+ * editing/ApplyBlockElementCommand.cpp:
+ (WebCore::ApplyBlockElementCommand::endOfNextParagraphSplittingTextNodesIfNeeded):
+
2021-03-09 Ryosuke Niwa <[email protected]>
Unreviewed, reverting r274054.
Modified: trunk/Source/WebCore/editing/ApplyBlockElementCommand.cpp (274199 => 274200)
--- trunk/Source/WebCore/editing/ApplyBlockElementCommand.cpp 2021-03-10 06:39:48 UTC (rev 274199)
+++ trunk/Source/WebCore/editing/ApplyBlockElementCommand.cpp 2021-03-10 07:03:36 UTC (rev 274200)
@@ -278,12 +278,13 @@
// If endOfNextParagraph was pointing at this same text node, endOfNextParagraph will be shifted by one paragraph.
// Avoid this by splitting "\n"
splitTextNode(*text, 1);
+ auto previousSiblingOfText = makeRefPtr(text->previousSibling());
- if (text == start.containerNode() && is<Text>(text->previousSibling())) {
+ if (text == start.containerNode() && previousSiblingOfText && is<Text>(previousSiblingOfText)) {
ASSERT(start.offsetInContainerNode() < position.offsetInContainerNode());
start = Position(downcast<Text>(text->previousSibling()), start.offsetInContainerNode());
}
- if (text == end.containerNode() && is<Text>(text->previousSibling())) {
+ if (text == end.containerNode() && previousSiblingOfText && is<Text>(previousSiblingOfText)) {
ASSERT(end.offsetInContainerNode() < position.offsetInContainerNode());
end = Position(downcast<Text>(text->previousSibling()), end.offsetInContainerNode());
}
@@ -290,7 +291,7 @@
if (text == m_endOfLastParagraph.containerNode()) {
if (m_endOfLastParagraph.offsetInContainerNode() < position.offsetInContainerNode()) {
// We can only fix endOfLastParagraph if the previous node was still text and hasn't been modified by script.
- if (is<Text>(*text->previousSibling())
+ if (previousSiblingOfText && is<Text>(previousSiblingOfText)
&& static_cast<unsigned>(m_endOfLastParagraph.offsetInContainerNode()) <= downcast<Text>(text->previousSibling())->length())
m_endOfLastParagraph = Position(downcast<Text>(text->previousSibling()), m_endOfLastParagraph.offsetInContainerNode());
} else
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
