[webkit-changes] [281745] trunk

Sun, 29 Aug 2021 10:39:40 -0700

Title: [281745] trunk
Revision
281745
Author
[email protected]
Date
2021-08-29 10:38:29 -0700 (Sun, 29 Aug 2021)

Log Message

Nullptr crash in ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline
https://bugs.webkit.org/show_bug.cgi?id=229280

Patch by Rob Buis <[email protected]> on 2021-08-29
Reviewed by Ryosuke Niwa.

Source/WebCore:

Null check context in removeRedundantStylesAndKeepStyleSpanInline
since the parent node can be null.

Test: editing/selection/replace-selection-crash-02.html

* editing/ReplaceSelectionCommand.cpp:
(WebCore::ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline):

LayoutTests:

* editing/selection/replace-selection-crash-02-expected.txt: Added.
* editing/selection/replace-selection-crash-02.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (281744 => 281745)


--- trunk/LayoutTests/ChangeLog	2021-08-29 16:10:25 UTC (rev 281744)
+++ trunk/LayoutTests/ChangeLog	2021-08-29 17:38:29 UTC (rev 281745)
@@ -1,3 +1,13 @@
+2021-08-29  Rob Buis  <[email protected]>
+
+        Nullptr crash in ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline
+        https://bugs.webkit.org/show_bug.cgi?id=229280
+
+        Reviewed by Ryosuke Niwa.
+
+        * editing/selection/replace-selection-crash-02-expected.txt: Added.
+        * editing/selection/replace-selection-crash-02.html: Added.
+
 2021-08-28  Simon Fraser  <[email protected]>
 
         Zooming browser does not properly scale SVG clip paths

Added: trunk/LayoutTests/editing/selection/replace-selection-crash-02-expected.txt (0 => 281745)


--- trunk/LayoutTests/editing/selection/replace-selection-crash-02-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/selection/replace-selection-crash-02-expected.txt	2021-08-29 17:38:29 UTC (rev 281745)
@@ -0,0 +1 @@
+Test passes if it does not crash.

Added: trunk/LayoutTests/editing/selection/replace-selection-crash-02.html (0 => 281745)


--- trunk/LayoutTests/editing/selection/replace-selection-crash-02.html	                        (rev 0)
+++ trunk/LayoutTests/editing/selection/replace-selection-crash-02.html	2021-08-29 17:38:29 UTC (rev 281745)
@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<style>
+sub {
+    -webkit-user-select: all;
+}
+.div {
+     overflow: scroll;
+}
+</style>
+<script>
+_onload_ = () => {
+    if (window.testRunner)
+        window.testRunner.dumpAsText();
+    let div = document.createElement('div');
+    div.className = 'div';
+    document.body.appendChild(div);
+    let span0 = document.createElement('span');
+    document.body.appendChild(span0);
+    span0.appendChild(document.createElement('div'));
+    let span1 = document.createElement('span');
+    span0.appendChild(span1);
+    div = document.createElement('div');
+    div.className = 'div';
+    span1.appendChild(div);
+    div = document.createElement('div');
+    div.className = 'div';
+    document.body.appendChild(div);
+    document.designMode = 'on';
+    document.execCommand('SelectAll');
+    document.execCommand('Subscript');
+    document.execCommand('Copy');
+    document.execCommand('Paste');
+    document.write("Test passes if it does not crash.");
+};
+</script>

Modified: trunk/Source/WebCore/ChangeLog (281744 => 281745)


--- trunk/Source/WebCore/ChangeLog	2021-08-29 16:10:25 UTC (rev 281744)
+++ trunk/Source/WebCore/ChangeLog	2021-08-29 17:38:29 UTC (rev 281745)
@@ -1,3 +1,18 @@
+2021-08-29  Rob Buis  <[email protected]>
+
+        Nullptr crash in ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline
+        https://bugs.webkit.org/show_bug.cgi?id=229280
+
+        Reviewed by Ryosuke Niwa.
+
+        Null check context in removeRedundantStylesAndKeepStyleSpanInline
+        since the parent node can be null.
+
+        Test: editing/selection/replace-selection-crash-02.html
+
+        * editing/ReplaceSelectionCommand.cpp:
+        (WebCore::ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline):
+
 2021-08-29  Alan Bujtas  <[email protected]>
 
         [LFC][IFC] Make line runs relative to the formatting root border box.

Modified: trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp (281744 => 281745)


--- trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp	2021-08-29 16:10:25 UTC (rev 281744)
+++ trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp	2021-08-29 17:38:29 UTC (rev 281745)
@@ -664,8 +664,14 @@
 
             // If Mail wraps the fragment with a Paste as Quotation blockquote, or if you're pasting into a quoted region,
             // styles from blockquoteNode are allowed to override those from the source document, see <rdar://problem/4930986> and <rdar://problem/5089327>.
-            RefPtr<Node> blockquoteNode = isMailPasteAsQuotationNode(context.get()) ? context.get() : enclosingNodeOfType(firstPositionInNode(context.get()), isMailBlockquote, CanCrossEditingBoundary);
-            if (blockquoteNode)
+            auto hasBlockquoteNode = [&]() -> bool {
+                if (!context)
+                    return false;
+                if (isMailPasteAsQuotationNode(context.get()))
+                    return true;
+                return enclosingNodeOfType(firstPositionInNode(context.get()), isMailBlockquote, CanCrossEditingBoundary);
+            };
+            if (hasBlockquoteNode())
                 newInlineStyle->removeStyleFromRulesAndContext(*element, document().documentElement());
 
             newInlineStyle->removeStyleFromRulesAndContext(*element, context.get());

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to