Title: [274472] trunk
- Revision
- 274472
- Author
- commit-qu...@webkit.org
- Date
- 2021-03-16 05:20:31 -0700 (Tue, 16 Mar 2021)
Log Message
Crash in makeBoundaryPoint via ReplaceSelectionCommand::insertedContentRange
https://bugs.webkit.org/show_bug.cgi?id=221509
Patch by Frederic Wang <fw...@igalia.com> on 2021-03-16
Reviewed by Ryosuke Niwa.
Source/WebCore:
WebCore::ReplaceSelectionCommand::doApply() saves start/end positions of inserted content
into m_startOfInsertedContent and m_endOfInsertedContent. At the end, it calls
ReplaceSelectionCommand::completeHTMLReplacement() which in turn may deep clone part of the
inserted content, in order to apply style. This then result in the start/end anchor nodes
becoming orphan, causing nullptr dereference later in the code. Ideally, the anchor nodes
should be moved to the cloned nodes but this patch only works around the issue by resetting
the start/end positions.
Test: fast/editing/replace-selection-and-apply-style-crash.html
* editing/ReplaceSelectionCommand.cpp:
(WebCore::ReplaceSelectionCommand::completeHTMLReplacement): If one of the anchor nodes
became orphan, just clear m_startOfInsertedContent and m_endOfInsertedContent.
LayoutTests:
Add a regression test.
* fast/editing/replace-selection-and-apply-style-crash-expected.txt: Added.
* fast/editing/replace-selection-and-apply-style-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (274471 => 274472)
--- trunk/LayoutTests/ChangeLog 2021-03-16 09:04:21 UTC (rev 274471)
+++ trunk/LayoutTests/ChangeLog 2021-03-16 12:20:31 UTC (rev 274472)
@@ -1,3 +1,15 @@
+2021-03-16 Frederic Wang <fw...@igalia.com>
+
+ Crash in makeBoundaryPoint via ReplaceSelectionCommand::insertedContentRange
+ https://bugs.webkit.org/show_bug.cgi?id=221509
+
+ Reviewed by Ryosuke Niwa.
+
+ Add a regression test.
+
+ * fast/editing/replace-selection-and-apply-style-crash-expected.txt: Added.
+ * fast/editing/replace-selection-and-apply-style-crash.html: Added.
+
2021-03-16 Youenn Fablet <you...@apple.com>
[ macOs Wk1 ] http/wpt/filereader/filereader-stop.html is a flakey text failure
Added: trunk/LayoutTests/fast/editing/replace-selection-and-apply-style-crash-expected.txt (0 => 274472)
--- trunk/LayoutTests/fast/editing/replace-selection-and-apply-style-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/editing/replace-selection-and-apply-style-crash-expected.txt 2021-03-16 12:20:31 UTC (rev 274472)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: This test passes if it does not crash.
+
+
+
Added: trunk/LayoutTests/fast/editing/replace-selection-and-apply-style-crash.html (0 => 274472)
--- trunk/LayoutTests/fast/editing/replace-selection-and-apply-style-crash.html (rev 0)
+++ trunk/LayoutTests/fast/editing/replace-selection-and-apply-style-crash.html 2021-03-16 12:20:31 UTC (rev 274472)
@@ -0,0 +1,17 @@
+<meta>
+<style>
+</style>
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ console.log("This test passes if it does not crash.")
+ _onload_ = () => {
+ document.styleSheets[0].insertRule(`head, script, meta, input { display: block; }`);
+ document.styleSheets[0].insertRule(`input { text-indent: 1px; }`);
+ document.querySelector('meta').appendChild(document.createElement('input'));
+ document.execCommand('SelectAll');
+ document.designMode = 'on';
+ document.execCommand('Copy');
+ document.execCommand('PasteAsPlainText');
+ };
+</script>
Modified: trunk/Source/WebCore/ChangeLog (274471 => 274472)
--- trunk/Source/WebCore/ChangeLog 2021-03-16 09:04:21 UTC (rev 274471)
+++ trunk/Source/WebCore/ChangeLog 2021-03-16 12:20:31 UTC (rev 274472)
@@ -1,3 +1,24 @@
+2021-03-16 Frederic Wang <fw...@igalia.com>
+
+ Crash in makeBoundaryPoint via ReplaceSelectionCommand::insertedContentRange
+ https://bugs.webkit.org/show_bug.cgi?id=221509
+
+ Reviewed by Ryosuke Niwa.
+
+ WebCore::ReplaceSelectionCommand::doApply() saves start/end positions of inserted content
+ into m_startOfInsertedContent and m_endOfInsertedContent. At the end, it calls
+ ReplaceSelectionCommand::completeHTMLReplacement() which in turn may deep clone part of the
+ inserted content, in order to apply style. This then result in the start/end anchor nodes
+ becoming orphan, causing nullptr dereference later in the code. Ideally, the anchor nodes
+ should be moved to the cloned nodes but this patch only works around the issue by resetting
+ the start/end positions.
+
+ Test: fast/editing/replace-selection-and-apply-style-crash.html
+
+ * editing/ReplaceSelectionCommand.cpp:
+ (WebCore::ReplaceSelectionCommand::completeHTMLReplacement): If one of the anchor nodes
+ became orphan, just clear m_startOfInsertedContent and m_endOfInsertedContent.
+
2021-03-16 Lauro Moura <lmo...@igalia.com>
[SOUP] Fix SOUP3 debug build
Modified: trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp (274471 => 274472)
--- trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp 2021-03-16 09:04:21 UTC (rev 274471)
+++ trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp 2021-03-16 12:20:31 UTC (rev 274472)
@@ -1583,6 +1583,13 @@
if (m_matchStyle) {
ASSERT(m_insertionStyle);
applyStyle(m_insertionStyle.get(), start, end);
+ // applyStyle may clone content to new block wrappers and make anchor nodes orphan.
+ if (start.isOrphan() || end.isOrphan()) {
+ start = endingSelection().start();
+ end = endingSelection().end();
+ m_startOfInsertedContent = start;
+ m_endOfInsertedContent = end;
+ }
}
if (lastPositionToSelect.isNotNull())
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
