[webkit-changes] [274849] trunk

Mon, 22 Mar 2021 23:24:54 -0700

Title: [274849] trunk
Revision
274849
Author
[email protected]
Date
2021-03-22 23:23:57 -0700 (Mon, 22 Mar 2021)

Log Message

Nullptr crash in  WebCore::RenderObject::RenderObjectBitfields::isLineBreak() where a NULL check is missing.
https://bugs.webkit.org/show_bug.cgi?id=223409

Patch by Venky Dass <[email protected]> on 2021-03-22
Reviewed by Ryosuke Niwa.

Source/WebCore:

When the check for LineBreak is performed the BR elmement NULL check is not performed. Which results in a crash
The fix therefore is to check for NULL.

Test: LayoutTests/editing/inserting/insert-paragraph-between-hr-and-br-assigned-to-slot-crash.html

* editing/InsertParagraphSeparatorCommand.cpp:
(WebCore::InsertParagraphSeparatorCommand::doApply):

LayoutTests:

Adding a regression test case.

* editing/inserting/insert-paragraph-between-hr-and-br-assigned-to-slot-crash-expected.txt: Added.
* editing/inserting/insert-paragraph-between-hr-and-br-assigned-to-slot-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (274848 => 274849)


--- trunk/LayoutTests/ChangeLog	2021-03-23 06:22:30 UTC (rev 274848)
+++ trunk/LayoutTests/ChangeLog	2021-03-23 06:23:57 UTC (rev 274849)
@@ -1,3 +1,15 @@
+2021-03-22  Venky Dass  <[email protected]>
+
+        Nullptr crash in  WebCore::RenderObject::RenderObjectBitfields::isLineBreak() where a NULL check is missing.
+        https://bugs.webkit.org/show_bug.cgi?id=223409
+
+        Reviewed by Ryosuke Niwa.
+
+        Adding a regression test case.
+        
+        * editing/inserting/insert-paragraph-between-hr-and-br-assigned-to-slot-crash-expected.txt: Added.
+        * editing/inserting/insert-paragraph-between-hr-and-br-assigned-to-slot-crash.html: Added.
+
 2021-03-22  Julian Gonzalez  <[email protected]>
 
         Crash in ReplaceSelectionCommand::doApply()

Added: trunk/LayoutTests/editing/inserting/insert-paragraph-between-hr-and-br-assigned-to-slot-crash-expected.txt (0 => 274849)


--- trunk/LayoutTests/editing/inserting/insert-paragraph-between-hr-and-br-assigned-to-slot-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-paragraph-between-hr-and-br-assigned-to-slot-crash-expected.txt	2021-03-23 06:23:57 UTC (rev 274849)
@@ -0,0 +1,4 @@
+
+
+
+This tests inserting a paragraph between hr and br assigned to a slot. WebKit should not hit any assertions or crash.

Added: trunk/LayoutTests/editing/inserting/insert-paragraph-between-hr-and-br-assigned-to-slot-crash.html (0 => 274849)


--- trunk/LayoutTests/editing/inserting/insert-paragraph-between-hr-and-br-assigned-to-slot-crash.html	                        (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-paragraph-between-hr-and-br-assigned-to-slot-crash.html	2021-03-23 06:23:57 UTC (rev 274849)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<body>
+<div id="editor" contenteditable><div id="host"><hr><br><br></div></div>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+host.attachShadow({mode: 'closed'}).innerHTML = '<slot></slot>';
+editor.focus();
+getSelection().setPosition(document.querySelector('br'), 0);
+document.execCommand('InsertParagraph');
+</script>
+</body>
+<p>This tests inserting a paragraph between hr and br assigned to a slot. WebKit should not hit any assertions or crash.</p>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (274848 => 274849)


--- trunk/Source/WebCore/ChangeLog	2021-03-23 06:22:30 UTC (rev 274848)
+++ trunk/Source/WebCore/ChangeLog	2021-03-23 06:23:57 UTC (rev 274849)
@@ -1,3 +1,18 @@
+2021-03-22  Venky Dass  <[email protected]>
+
+        Nullptr crash in  WebCore::RenderObject::RenderObjectBitfields::isLineBreak() where a NULL check is missing.
+        https://bugs.webkit.org/show_bug.cgi?id=223409
+
+        Reviewed by Ryosuke Niwa.
+
+        When the check for LineBreak is performed the BR elmement NULL check is not performed. Which results in a crash
+        The fix therefore is to check for NULL.
+        
+        Test: LayoutTests/editing/inserting/insert-paragraph-between-hr-and-br-assigned-to-slot-crash.html
+
+        * editing/InsertParagraphSeparatorCommand.cpp:
+        (WebCore::InsertParagraphSeparatorCommand::doApply):
+
 2021-03-22  Julian Gonzalez  <[email protected]>
 
         Crash in ReplaceSelectionCommand::doApply()

Modified: trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp (274848 => 274849)


--- trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp	2021-03-23 06:22:30 UTC (rev 274848)
+++ trunk/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp	2021-03-23 06:23:57 UTC (rev 274849)
@@ -313,7 +313,7 @@
         insertionPosition = positionInParentAfterNode(br.ptr());
         // If the insertion point is a break element, there is nothing else
         // we need to do.
-        if (visiblePos.deepEquivalent().anchorNode()->renderer()->isBR()) {
+        if (auto* renderer = visiblePos.deepEquivalent().anchorNode()->renderer(); renderer && renderer->isBR()) {
             setEndingSelection(VisibleSelection(insertionPosition, Affinity::Downstream, endingSelection().isDirectional()));
             return;
         }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to