Title: [282074] trunk
- Revision
- 282074
- Author
- commit-qu...@webkit.org
- Date
- 2021-09-07 00:06:26 -0700 (Tue, 07 Sep 2021)
Log Message
Nullptr crash in CSSValue::cssText() via DeleteSelectionCommand::calculateTypingStyleAfterDelete
https://bugs.webkit.org/show_bug.cgi?id=229281
Patch by Rob Buis <rb...@igalia.com> on 2021-09-07
Reviewed by Ryosuke Niwa.
Source/WebCore:
Null check the CSSValue in EditingStyle::init.
Test: editing/deleting/forward-delete-crash.html
* editing/EditingStyle.cpp:
(WebCore::EditingStyle::init):
LayoutTests:
* editing/deleting/forward-delete-crash-expected.txt: Added.
* editing/deleting/forward-delete-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (282073 => 282074)
--- trunk/LayoutTests/ChangeLog 2021-09-07 06:34:35 UTC (rev 282073)
+++ trunk/LayoutTests/ChangeLog 2021-09-07 07:06:26 UTC (rev 282074)
@@ -1,3 +1,13 @@
+2021-09-07 Rob Buis <rb...@igalia.com>
+
+ Nullptr crash in CSSValue::cssText() via DeleteSelectionCommand::calculateTypingStyleAfterDelete
+ https://bugs.webkit.org/show_bug.cgi?id=229281
+
+ Reviewed by Ryosuke Niwa.
+
+ * editing/deleting/forward-delete-crash-expected.txt: Added.
+ * editing/deleting/forward-delete-crash.html: Added.
+
2021-09-06 Antti Koivisto <an...@apple.com>
Add layout test for performance of adding children to a shadow host
Added: trunk/LayoutTests/editing/deleting/forward-delete-crash-expected.txt (0 => 282074)
--- trunk/LayoutTests/editing/deleting/forward-delete-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/deleting/forward-delete-crash-expected.txt 2021-09-07 07:06:26 UTC (rev 282074)
@@ -0,0 +1 @@
+Test passes if it does not crash.
Added: trunk/LayoutTests/editing/deleting/forward-delete-crash.html (0 => 282074)
--- trunk/LayoutTests/editing/deleting/forward-delete-crash.html (rev 0)
+++ trunk/LayoutTests/editing/deleting/forward-delete-crash.html 2021-09-07 07:06:26 UTC (rev 282074)
@@ -0,0 +1,43 @@
+<style>
+ :last-of-type {
+ height: 1px;
+ display: block;
+ }
+@font-face {
+ font-family: "Ahem";
+ src: url("../../resources/Ahem.ttf");
+}
+</style>
+<script>
+ if (window.testRunner) {
+ window.testRunner.dumpAsText();
+ window.testRunner.waitUntilDone();
+ }
+ _onload_ = async () => {
+ document.designMode = 'on';
+ let img0 = document.createElement('img');
+ img0._onerror_ = () => {
+ document.execCommand('ForwardDelete');
+ setTimeout(function() { window.testRunner.notifyDone(); }, 0);
+ document.write("Test passes if it does not crash.");
+ };
+ let datalist0 = document.createElement('datalist');
+ document.head.appendChild(datalist0);
+ document.head.appendChild(document.createElement('datalist'));
+ img0.src = '';
+ let embed0 = document.createElement('embed');
+ embed0.src = '';
+ datalist0.appendChild(embed0);
+ if (navigator.platform.indexOf('Mac') == 0 && window.caches)
+ await caches.has('a');
+ else
+ await document.fonts.load("80px Ahem");
+ img0.src = '';
+ getSelection().selectAllChildren(datalist0);
+ if (navigator.platform.indexOf('Mac') == 0 && window.caches)
+ await caches.has('a');
+ else
+ await document.fonts.load("80px Ahem");
+ document.execCommand('Delete');
+ };
+</script>
Modified: trunk/Source/WebCore/ChangeLog (282073 => 282074)
--- trunk/Source/WebCore/ChangeLog 2021-09-07 06:34:35 UTC (rev 282073)
+++ trunk/Source/WebCore/ChangeLog 2021-09-07 07:06:26 UTC (rev 282074)
@@ -1,3 +1,17 @@
+2021-09-07 Rob Buis <rb...@igalia.com>
+
+ Nullptr crash in CSSValue::cssText() via DeleteSelectionCommand::calculateTypingStyleAfterDelete
+ https://bugs.webkit.org/show_bug.cgi?id=229281
+
+ Reviewed by Ryosuke Niwa.
+
+ Null check the CSSValue in EditingStyle::init.
+
+ Test: editing/deleting/forward-delete-crash.html
+
+ * editing/EditingStyle.cpp:
+ (WebCore::EditingStyle::init):
+
2021-09-06 Alan Bujtas <za...@apple.com>
[LFC][Integration] Remove redundant NonRootInlineBox
Modified: trunk/Source/WebCore/editing/EditingStyle.cpp (282073 => 282074)
--- trunk/Source/WebCore/editing/EditingStyle.cpp 2021-09-07 06:34:35 UTC (rev 282073)
+++ trunk/Source/WebCore/editing/EditingStyle.cpp 2021-09-07 07:06:26 UTC (rev 282074)
@@ -477,8 +477,10 @@
if (node && node->computedStyle()) {
auto* renderStyle = node->computedStyle();
removeTextFillAndStrokeColorsIfNeeded(renderStyle);
- if (renderStyle->fontDescription().keywordSize())
- m_mutableStyle->setProperty(CSSPropertyFontSize, computedStyleAtPosition.getFontSizeCSSValuePreferringKeyword()->cssText());
+ if (renderStyle->fontDescription().keywordSize()) {
+ if (auto cssValue = computedStyleAtPosition.getFontSizeCSSValuePreferringKeyword())
+ m_mutableStyle->setProperty(CSSPropertyFontSize, cssValue->cssText());
+ }
}
m_shouldUseFixedDefaultFontSize = computedStyleAtPosition.useFixedFontDefaultSize();
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes