Skip to site navigation (Press enter)

[webkit-changes] [274847] trunk

commit-queue Mon, 22 Mar 2021 23:20:16 -0700

Title: [274847] trunk

Revision: 274847
Author: [email protected]
Date: 2021-03-22 23:19:34 -0700 (Mon, 22 Mar 2021)

Log Message

Crash in ReplaceSelectionCommand::doApply()
https://bugs.webkit.org/show_bug.cgi?id=223545


Patch by Julian Gonzalez <[email protected]> on 2021-03-22
Reviewed by Ryosuke Niwa.

Source/WebCore:

Test: editing/execCommand/insert-image-in-composed-list.html

Add a missing check in ReplaceSelectionCommand::doApply()
to prevent calling splitTreeToNode() with nullptr.

* editing/ReplaceSelectionCommand.cpp:
(WebCore::ReplaceSelectionCommand::doApply):

LayoutTests:

Add a test to catch this null pointer dereference.
Thanks to Ryosuke Niwa for significant work in reducing
this test case.

* editing/execCommand/insert-image-in-composed-list-expected.txt: Added.
* editing/execCommand/insert-image-in-composed-list.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp

Added Paths

trunk/LayoutTests/editing/execCommand/insert-image-in-composed-list-expected.txt
trunk/LayoutTests/editing/execCommand/insert-image-in-composed-list.html

Diff

Modified: trunk/LayoutTests/ChangeLog (274846 => 274847)


--- trunk/LayoutTests/ChangeLog	2021-03-23 05:53:22 UTC (rev 274846)
+++ trunk/LayoutTests/ChangeLog	2021-03-23 06:19:34 UTC (rev 274847)
@@ -1,3 +1,17 @@
+2021-03-22  Julian Gonzalez  <[email protected]>
+
+        Crash in ReplaceSelectionCommand::doApply()
+        https://bugs.webkit.org/show_bug.cgi?id=223545
+
+        Reviewed by Ryosuke Niwa.
+
+        Add a test to catch this null pointer dereference.
+        Thanks to Ryosuke Niwa for significant work in reducing
+        this test case.
+
+        * editing/execCommand/insert-image-in-composed-list-expected.txt: Added.
+        * editing/execCommand/insert-image-in-composed-list.html: Added.
+
 2021-03-22  Lauro Moura  <[email protected]>
 
         [GLIB] Gardening webgl/conformance/extensions/khr-parallel-shader-compile.html timeout after r274711

Added: trunk/LayoutTests/editing/execCommand/insert-image-in-composed-list-expected.txt (0 => 274847)


--- trunk/LayoutTests/editing/execCommand/insert-image-in-composed-list-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/execCommand/insert-image-in-composed-list-expected.txt	2021-03-23 06:19:34 UTC (rev 274847)
@@ -0,0 +1 @@
+Test passes if it does not crash.

Added: trunk/LayoutTests/editing/execCommand/insert-image-in-composed-list.html (0 => 274847)


--- trunk/LayoutTests/editing/execCommand/insert-image-in-composed-list.html	                        (rev 0)
+++ trunk/LayoutTests/editing/execCommand/insert-image-in-composed-list.html	2021-03-23 06:19:34 UTC (rev 274847)
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+</html>
+<html>
+<head>
+<script>
+_onload_ = () => {
+    if (window.testRunner)
+        testRunner.dumpAsText();
+
+    const br = document.querySelector('br');
+    br.innerHTML = '<div style="text-indent: -1em;"><span>foo</span></div>';
+    getSelection().setBaseAndExtent(document.querySelector('span').firstChild, 0, br, 1);
+    document.execCommand("insertImage", "#foo");
+}
+</script>
+</head>
+<body contenteditable>
+Test passes if it does not crash.
+<br style="content: ''"><span style="display: none">
+</body>

Modified: trunk/Source/WebCore/ChangeLog (274846 => 274847)


--- trunk/Source/WebCore/ChangeLog	2021-03-23 05:53:22 UTC (rev 274846)
+++ trunk/Source/WebCore/ChangeLog	2021-03-23 06:19:34 UTC (rev 274847)
@@ -1,3 +1,18 @@
+2021-03-22  Julian Gonzalez  <[email protected]>
+
+        Crash in ReplaceSelectionCommand::doApply()
+        https://bugs.webkit.org/show_bug.cgi?id=223545
+
+        Reviewed by Ryosuke Niwa.
+
+        Test: editing/execCommand/insert-image-in-composed-list.html
+
+        Add a missing check in ReplaceSelectionCommand::doApply()
+        to prevent calling splitTreeToNode() with nullptr.
+
+        * editing/ReplaceSelectionCommand.cpp:
+        (WebCore::ReplaceSelectionCommand::doApply):
+
 2021-03-22  Ryosuke Niwa  <[email protected]>
 
         Use JSValueInWrappedObject to keep the JSObject alive for QuickTimePluginReplacement

Modified: trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp (274846 => 274847)


--- trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp	2021-03-23 05:53:22 UTC (rev 274846)
+++ trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp	2021-03-23 06:19:34 UTC (rev 274847)
@@ -1213,7 +1213,7 @@
         }
 
         if (RefPtr<Node> nodeToSplitTo = nodeToSplitToAvoidPastingIntoInlineNodesWithStyle(insertionPos)) {
-            if (insertionPos.containerNode() != nodeToSplitTo->parentNode()) {
+            if (nodeToSplitTo->parentNode() && insertionPos.containerNode() != nodeToSplitTo->parentNode()) {
                 Node* splitStart = insertionPos.computeNodeAfterPosition();
                 if (!splitStart)
                     splitStart = insertionPos.containerNode();

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes