[webkit-changes] [279110] trunk

Tue, 22 Jun 2021 02:06:57 -0700

Title: [279110] trunk
Revision
279110
Author
[email protected]
Date
2021-06-22 02:06:14 -0700 (Tue, 22 Jun 2021)

Log Message

Nullptr crash in null ptr deref in ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline
https://bugs.webkit.org/show_bug.cgi?id=226799

Patch by Frédéric Wang <[email protected]> on 2021-06-22
Reviewed by Ryosuke Niwa.

Source/WebCore:

Various places in ReplaceSelectionCommand::doApply() may execute mutation events and lead
to nodes being removed. This patch adds one more early return after the call to
makeInsertedContentRoundTrippableWithHTMLTreeBuilder() to ensure that the function
removeRedundantStylesAndKeepStyleSpanInline() is properly executed.

Test: fast/editing/paste-and-indent-microtask-crash.html

* editing/ReplaceSelectionCommand.cpp:
(WebCore::ReplaceSelectionCommand::doApply):

LayoutTests:

Add regression test.

* fast/editing/paste-and-indent-microtask-crash-expected.txt: Added.
* fast/editing/paste-and-indent-microtask-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (279109 => 279110)


--- trunk/LayoutTests/ChangeLog	2021-06-22 08:37:12 UTC (rev 279109)
+++ trunk/LayoutTests/ChangeLog	2021-06-22 09:06:14 UTC (rev 279110)
@@ -1,3 +1,15 @@
+2021-06-22  Frédéric Wang  <[email protected]>
+
+        Nullptr crash in null ptr deref in ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline
+        https://bugs.webkit.org/show_bug.cgi?id=226799
+
+        Reviewed by Ryosuke Niwa.
+
+        Add regression test.
+
+        * fast/editing/paste-and-indent-microtask-crash-expected.txt: Added.
+        * fast/editing/paste-and-indent-microtask-crash.html: Added.
+
 2021-06-22  Arcady Goldmints-Orlov  <[email protected]>
 
         [GLIB] Unreviewed test gardening. Update baselines after r278931.

Added: trunk/LayoutTests/fast/editing/paste-and-indent-microtask-crash-expected.txt (0 => 279110)


--- trunk/LayoutTests/fast/editing/paste-and-indent-microtask-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/editing/paste-and-indent-microtask-crash-expected.txt	2021-06-22 09:06:14 UTC (rev 279110)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: This test passes if it does not crash.
+
+

Added: trunk/LayoutTests/fast/editing/paste-and-indent-microtask-crash.html (0 => 279110)


--- trunk/LayoutTests/fast/editing/paste-and-indent-microtask-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/editing/paste-and-indent-microtask-crash.html	2021-06-22 09:06:14 UTC (rev 279110)
@@ -0,0 +1,23 @@
+<script>
+  if (window.testRunner)
+    testRunner.dumpAsText();
+  console.log("This test passes if it does not crash.")
+  _onload_ = () => {
+    let h1 = document.createElement('h1');
+    document.body.appendChild(h1);
+    h1.appendChild(document.createElement('input'));
+    h1.appendChild(document.createElement('div'));
+    let h2 = document.createElement('h2');
+    document.body.appendChild(h2);
+    let h3 = document.createElement('h3');
+    h2.appendChild(h3);
+    document.execCommand('SelectAll');
+    h3.appendChild(document.createElement('iframe'));
+    queueMicrotask(() => {
+      document.execCommand('Indent');
+    });
+    document.designMode = 'on';
+    document.execCommand('Copy');
+    document.execCommand('Paste');
+  };
+</script>

Modified: trunk/Source/WebCore/ChangeLog (279109 => 279110)


--- trunk/Source/WebCore/ChangeLog	2021-06-22 08:37:12 UTC (rev 279109)
+++ trunk/Source/WebCore/ChangeLog	2021-06-22 09:06:14 UTC (rev 279110)
@@ -1,3 +1,20 @@
+2021-06-22  Frédéric Wang  <[email protected]>
+
+        Nullptr crash in null ptr deref in ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline
+        https://bugs.webkit.org/show_bug.cgi?id=226799
+
+        Reviewed by Ryosuke Niwa.
+
+        Various places in ReplaceSelectionCommand::doApply() may execute mutation events and lead
+        to nodes being removed. This patch adds one more early return after the call to
+        makeInsertedContentRoundTrippableWithHTMLTreeBuilder() to ensure that the function
+        removeRedundantStylesAndKeepStyleSpanInline() is properly executed.
+
+        Test: fast/editing/paste-and-indent-microtask-crash.html
+
+        * editing/ReplaceSelectionCommand.cpp:
+        (WebCore::ReplaceSelectionCommand::doApply):
+
 2021-06-22  Cathie Chen  <[email protected]>
 
         Implement width and height attributes on source elements of <picture>

Modified: trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp (279109 => 279110)


--- trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp	2021-06-22 08:37:12 UTC (rev 279109)
+++ trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp	2021-06-22 09:06:14 UTC (rev 279110)
@@ -1355,6 +1355,8 @@
     makeInsertedContentRoundTrippableWithHTMLTreeBuilder(insertedNodes);
     if (insertedNodes.isEmpty())
         return;
+    if (!insertedNodes.firstNodeInserted()->isConnected())
+        return;
 
     if (needsColorTransformed)
         inverseTransformColor(insertedNodes);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to