[webkit-changes] [282951] trunk/Source/WebCore

[svillar]

Title: [282951] trunk/Source/WebCore

Revision

282951

Author

svil...@igalia.com

Date

2021-09-23 01:16:36 -0700 (Thu, 23 Sep 2021)

Log Message

Improve the handling of CompositeEditCommand::splitTreeToNode() return values
https://bugs.webkit.org/show_bug.cgi?id=229470

Reviewed by Darin Adler.

splitTreeToNode() might return nullptr because, among other things, it might insert/remove nodes in
the DOM tree. It's well known that by doing so we're allowing the execution of arbitrary scripts
(see didFinishInsertingNode() for example). This means that there is a possibility that the node
that it's being splitted is no longer part of the DOM tree by the time splitTreeToNode() returns.
That's why we should bail out in those cases.

* editing/FormatBlockCommand.cpp:
(WebCore::FormatBlockCommand::formatRange):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/editing/FormatBlockCommand.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (282950 => 282951)

--- trunk/Source/WebCore/ChangeLog	2021-09-23 06:58:52 UTC (rev 282950)
+++ trunk/Source/WebCore/ChangeLog	2021-09-23 08:16:36 UTC (rev 282951)
@@ -1,3 +1,19 @@
+2021-09-09  Sergio Villar Senin  <svil...@igalia.com>
+
+        Improve the handling of CompositeEditCommand::splitTreeToNode() return values
+        https://bugs.webkit.org/show_bug.cgi?id=229470
+
+        Reviewed by Darin Adler.
+
+        splitTreeToNode() might return nullptr because, among other things, it might insert/remove nodes in
+        the DOM tree. It's well known that by doing so we're allowing the execution of arbitrary scripts
+        (see didFinishInsertingNode() for example). This means that there is a possibility that the node
+        that it's being splitted is no longer part of the DOM tree by the time splitTreeToNode() returns.
+        That's why we should bail out in those cases.
+
+        * editing/FormatBlockCommand.cpp:
+        (WebCore::FormatBlockCommand::formatRange):
+
 2021-09-22  Jean-Yves Avenard  <j...@apple.com>
 
         Make SharedBuffer inherit from ThreadSafeRefCounted

Modified: trunk/Source/WebCore/editing/FormatBlockCommand.cpp (282950 => 282951)

--- trunk/Source/WebCore/editing/FormatBlockCommand.cpp	2021-09-23 06:58:52 UTC (rev 282950)
+++ trunk/Source/WebCore/editing/FormatBlockCommand.cpp	2021-09-23 08:16:36 UTC (rev 282951)
@@ -66,6 +66,9 @@
     Node* nodeToSplitTo = enclosingBlockToSplitTreeTo(start.deprecatedNode());
     ASSERT(nodeToSplitTo);
     RefPtr<Node> outerBlock = (start.deprecatedNode() == nodeToSplitTo) ? start.deprecatedNode() : splitTreeToNode(*start.deprecatedNode(), *nodeToSplitTo);
+    if (!outerBlock)
+        return;
+
     RefPtr<Node> nodeAfterInsertionPosition = outerBlock;
 
     auto range = makeSimpleRange(start, endOfSelection);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes