[webkit-changes] [276186] trunk

Fri, 16 Apr 2021 17:58:16 -0700

Title: [276186] trunk
Revision
276186
Author
[email protected]
Date
2021-04-16 17:57:21 -0700 (Fri, 16 Apr 2021)

Log Message

Nullptr deref in CompositeEditCommand::isRemovableBlock in DeleteSelectionCommand::removeRedundantBlocks
https://bugs.webkit.org/show_bug.cgi?id=224518

Patch by Ian Gilbert <[email protected]> on 2021-04-16
Reviewed by Ryosuke Niwa.

Source/WebCore:

Add null check in case node is removed while iterating over tree.

Test: editing/execCommand/remove-node-during-command-crash.html

* editing/DeleteSelectionCommand.cpp:
(WebCore::DeleteSelectionCommand::removeRedundantBlocks):

LayoutTests:

Add a regression test.

* editing/execCommand/remove-node-during-command-crash-expected.txt: Added.
* editing/execCommand/remove-node-during-command-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (276185 => 276186)


--- trunk/LayoutTests/ChangeLog	2021-04-17 00:38:02 UTC (rev 276185)
+++ trunk/LayoutTests/ChangeLog	2021-04-17 00:57:21 UTC (rev 276186)
@@ -1,3 +1,15 @@
+2021-04-16  Ian Gilbert  <[email protected]>
+
+        Nullptr deref in CompositeEditCommand::isRemovableBlock in DeleteSelectionCommand::removeRedundantBlocks
+        https://bugs.webkit.org/show_bug.cgi?id=224518
+
+        Reviewed by Ryosuke Niwa.
+
+        Add a regression test.
+
+        * editing/execCommand/remove-node-during-command-crash-expected.txt: Added.
+        * editing/execCommand/remove-node-during-command-crash.html: Added.
+
 2021-04-16  Cameron McCormack  <[email protected]>
 
         Place vertical scrollbars at (inline/block)-end edge in all writing modes.

Added: trunk/LayoutTests/editing/execCommand/remove-node-during-command-crash-expected.txt (0 => 276186)


--- trunk/LayoutTests/editing/execCommand/remove-node-during-command-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/execCommand/remove-node-during-command-crash-expected.txt	2021-04-17 00:57:21 UTC (rev 276186)
@@ -0,0 +1 @@
+Test passes if it does not crash PASS

Added: trunk/LayoutTests/editing/execCommand/remove-node-during-command-crash.html (0 => 276186)


--- trunk/LayoutTests/editing/execCommand/remove-node-during-command-crash.html	                        (rev 0)
+++ trunk/LayoutTests/editing/execCommand/remove-node-during-command-crash.html	2021-04-17 00:57:21 UTC (rev 276186)
@@ -0,0 +1,27 @@
+<style>
+  br {
+    content: '';
+  }
+</style>
+<script>
+  _onload_ = () => {
+      
+    if (window.testRunner)
+      testRunner.dumpAsText();
+        
+    document.designMode = 'on';
+    document.execCommand('SelectAll');
+    document.execCommand('InsertImage', false, '#');
+    let ifr0 = document.createElement('iframe');
+    document.body.appendChild(ifr0);
+    ifr0._onload_ = () => {
+      document.execCommand('JustifyRight');
+    };
+    document.execCommand('InsertParagraph');
+    getSelection().extend(document.body);
+    document.execCommand('InsertParagraph');
+
+    document.write('Test passes if it does not crash\n');
+    document.write('PASS');
+  };
+</script>

Modified: trunk/Source/WebCore/ChangeLog (276185 => 276186)


--- trunk/Source/WebCore/ChangeLog	2021-04-17 00:38:02 UTC (rev 276185)
+++ trunk/Source/WebCore/ChangeLog	2021-04-17 00:57:21 UTC (rev 276186)
@@ -1,3 +1,17 @@
+2021-04-16  Ian Gilbert  <[email protected]>
+
+        Nullptr deref in CompositeEditCommand::isRemovableBlock in DeleteSelectionCommand::removeRedundantBlocks
+        https://bugs.webkit.org/show_bug.cgi?id=224518
+
+        Reviewed by Ryosuke Niwa.
+
+        Add null check in case node is removed while iterating over tree.
+
+        Test: editing/execCommand/remove-node-during-command-crash.html
+
+        * editing/DeleteSelectionCommand.cpp:
+        (WebCore::DeleteSelectionCommand::removeRedundantBlocks):
+
 2021-04-16  Cameron McCormack  <[email protected]>
 
         Place vertical scrollbars at (inline/block)-end edge in all writing modes.

Modified: trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp (276185 => 276186)


--- trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp	2021-04-17 00:38:02 UTC (rev 276185)
+++ trunk/Source/WebCore/editing/DeleteSelectionCommand.cpp	2021-04-17 00:57:21 UTC (rev 276186)
@@ -865,11 +865,11 @@
 // This method removes div elements with no attributes that have only one child or no children at all.
 void DeleteSelectionCommand::removeRedundantBlocks()
 {
-    Node* node = m_endingPosition.containerNode();
-    Node* rootNode = node->rootEditableElement();
+    auto node = makeRefPtr(m_endingPosition.containerNode());
+    auto rootNode = makeRefPtr(node->rootEditableElement());
    
-    while (node != rootNode) {
-        if (isRemovableBlock(node)) {
+    while (node && node != rootNode) {
+        if (isRemovableBlock(node.get())) {
             if (node == m_endingPosition.anchorNode())
                 updatePositionForNodeRemovalPreservingChildren(m_endingPosition, *node);
             

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to