[webkit-changes] [284739] trunk

Fri, 22 Oct 2021 20:58:42 -0700

Title: [284739] trunk
Revision
284739
Author
commit-qu...@webkit.org
Date
2021-10-22 20:57:49 -0700 (Fri, 22 Oct 2021)

Log Message

Source/WebCore:
https://bugs.webkit.org/show_bug.cgi?id=232177
Check if start and end positions are still valid after updating them through mergeEndWithNextIfIdentical

Patch by Gabriel Nava Marino <gnavamar...@apple.com> on 2021-10-22
Reviewed by Alan Bujtas.

We currently check if start and end positions are still valid after
updating them through mergeEndWithNextIfIdentical, but not through
mergeStartWithPreviousIfIdentical. Add this check to avoid trying to
deref a nullptr in ApplyStyleCommand::mergeEndWithNextIfIdentical.

Test: fast/editing/create-link-inline-style-change-crash-001.html

* editing/ApplyStyleCommand.cpp:
(WebCore::ApplyStyleCommand::applyInlineStyle):

LayoutTests:
Check if start and end positions are still valid after updating them through mergeStartWithPreviousIfIdentical
https://bugs.webkit.org/show_bug.cgi?id=232177

Patch by Gabriel Nava Marino <gnavamar...@apple.com> on 2021-10-22
Reviewed by Alan Bujtas.

* fast/editing/create-link-inline-style-change-crash-001-expected.txt: Added.
* fast/editing/create-link-inline-style-change-crash-001.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (284738 => 284739)


--- trunk/LayoutTests/ChangeLog	2021-10-23 03:25:23 UTC (rev 284738)
+++ trunk/LayoutTests/ChangeLog	2021-10-23 03:57:49 UTC (rev 284739)
@@ -1,3 +1,13 @@
+2021-10-22  Gabriel Nava Marino  <gnavamar...@apple.com>
+
+        Check if start and end positions are still valid after updating them through mergeStartWithPreviousIfIdentical
+        https://bugs.webkit.org/show_bug.cgi?id=232177
+
+        Reviewed by Alan Bujtas.
+
+        * fast/editing/create-link-inline-style-change-crash-001-expected.txt: Added.
+        * fast/editing/create-link-inline-style-change-crash-001.html: Added.
+
 2021-10-22  Simon Fraser  <simon.fra...@apple.com>
 
         Content offset in this codepen when switching tabs

Added: trunk/LayoutTests/fast/editing/create-link-inline-style-change-crash-001-expected.txt (0 => 284739)


--- trunk/LayoutTests/fast/editing/create-link-inline-style-change-crash-001-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/editing/create-link-inline-style-change-crash-001-expected.txt	2021-10-23 03:57:49 UTC (rev 284739)
@@ -0,0 +1 @@
+PASS

Added: trunk/LayoutTests/fast/editing/create-link-inline-style-change-crash-001.html (0 => 284739)


--- trunk/LayoutTests/fast/editing/create-link-inline-style-change-crash-001.html	                        (rev 0)
+++ trunk/LayoutTests/fast/editing/create-link-inline-style-change-crash-001.html	2021-10-23 03:57:49 UTC (rev 284739)
@@ -0,0 +1,28 @@
+<style>
+  span {
+    display: table-cell;
+  }
+  :not(span) {
+    float: left;
+  }
+  ::first-letter {
+    width: 0;
+  }
+  :first-child {
+    -webkit-user-select: none;
+  }
+</style>
+<script>
+  _onload_ = () => {
+    document.execCommand('SelectAll');
+    document.designMode = 'on';
+    document.execCommand('InsertText', false, 'aa');
+    document.execCommand('InsertOrderedList');
+    document.execCommand('CreateLink', false, '#xyz');
+    document.execCommand('JustifyFull');
+    document.execCommand('CreateLink', false, '#');
+    document.write("PASS");
+    if (window.testRunner)
+        testRunner.dumpAsText();
+  };
+</script>

Modified: trunk/Source/WebCore/ChangeLog (284738 => 284739)


--- trunk/Source/WebCore/ChangeLog	2021-10-23 03:25:23 UTC (rev 284738)
+++ trunk/Source/WebCore/ChangeLog	2021-10-23 03:57:49 UTC (rev 284739)
@@ -1,3 +1,20 @@
+2021-10-22  Gabriel Nava Marino  <gnavamar...@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=232177
+        Check if start and end positions are still valid after updating them through mergeEndWithNextIfIdentical
+
+        Reviewed by Alan Bujtas.
+
+        We currently check if start and end positions are still valid after
+        updating them through mergeEndWithNextIfIdentical, but not through
+        mergeStartWithPreviousIfIdentical. Add this check to avoid trying to
+        deref a nullptr in ApplyStyleCommand::mergeEndWithNextIfIdentical.
+
+        Test: fast/editing/create-link-inline-style-change-crash-001.html
+
+        * editing/ApplyStyleCommand.cpp:
+        (WebCore::ApplyStyleCommand::applyInlineStyle):
+
 2021-10-22  Simon Fraser  <simon.fra...@apple.com>
 
         Content offset in this codepen when switching tabs

Modified: trunk/Source/WebCore/editing/ApplyStyleCommand.cpp (284738 => 284739)


--- trunk/Source/WebCore/editing/ApplyStyleCommand.cpp	2021-10-23 03:25:23 UTC (rev 284738)
+++ trunk/Source/WebCore/editing/ApplyStyleCommand.cpp	2021-10-23 03:57:49 UTC (rev 284739)
@@ -636,6 +636,9 @@
         end = endPosition();
     }
 
+    if (start.isNull() || end.isNull())
+        return;
+    
     if (splitEnd) {
         mergeEndWithNextIfIdentical(start, end);
         start = startPosition();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to