Title: [271787] trunk
- Revision
- 271787
- Author
- carlo...@webkit.org
- Date
- 2021-01-25 00:33:14 -0800 (Mon, 25 Jan 2021)
Log Message
Null Ptr Deref @ WebCore::ReplaceSelectionCommand::doApply
https://bugs.webkit.org/show_bug.cgi?id=218493
Reviewed by Youenn Fablet.
Source/WebCore:
Test: editing/execCommand/insert-image-replace-selection-crash.html
* editing/ReplaceSelectionCommand.cpp:
(WebCore::fragmentNeedsColorTransformed): Remove invalid assert.
(WebCore::ReplaceSelectionCommand::doApply): Null check insert position container node before using it.
LayoutTests:
* editing/execCommand/insert-image-replace-selection-crash-expected.txt: Added.
* editing/execCommand/insert-image-replace-selection-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (271786 => 271787)
--- trunk/LayoutTests/ChangeLog 2021-01-25 00:47:32 UTC (rev 271786)
+++ trunk/LayoutTests/ChangeLog 2021-01-25 08:33:14 UTC (rev 271787)
@@ -1,3 +1,13 @@
+2021-01-25 Carlos Garcia Campos <cgar...@igalia.com>
+
+ Null Ptr Deref @ WebCore::ReplaceSelectionCommand::doApply
+ https://bugs.webkit.org/show_bug.cgi?id=218493
+
+ Reviewed by Youenn Fablet.
+
+ * editing/execCommand/insert-image-replace-selection-crash-expected.txt: Added.
+ * editing/execCommand/insert-image-replace-selection-crash.html: Added.
+
2021-01-24 Simon Fraser <simon.fra...@apple.com>
[iOS WK2] theverge.com - rubber band scrolling at the top of the page causes an abrupt jump
Added: trunk/LayoutTests/editing/execCommand/insert-image-replace-selection-crash-expected.txt (0 => 271787)
--- trunk/LayoutTests/editing/execCommand/insert-image-replace-selection-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/execCommand/insert-image-replace-selection-crash-expected.txt 2021-01-25 08:33:14 UTC (rev 271787)
@@ -0,0 +1 @@
+PASS. WebKit didn't crash.
Added: trunk/LayoutTests/editing/execCommand/insert-image-replace-selection-crash.html (0 => 271787)
--- trunk/LayoutTests/editing/execCommand/insert-image-replace-selection-crash.html (rev 0)
+++ trunk/LayoutTests/editing/execCommand/insert-image-replace-selection-crash.html 2021-01-25 08:33:14 UTC (rev 271787)
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+summary { -webkit-user-modify: read-write; }
+</style>
+<script src=""
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+function focushandler() {
+ document.activeElement.replaceWith("foo");
+}
+
+function runTest() {
+ window.getSelection().selectAllChildren(optgroup);
+ select.autofocus = true;
+ document.execCommand("insertImage", "#foo");
+ document.write("PASS. WebKit didn't crash.");
+}
+</script>
+</head>
+<body _onload_="runTest()">
+<details border="1px">
+<summary>
+<select id="select" _onfocus_="focushandler()">
+ <optgroup id="optgroup">content</optgroup>
+</select>
+<body>
Modified: trunk/Source/WebCore/ChangeLog (271786 => 271787)
--- trunk/Source/WebCore/ChangeLog 2021-01-25 00:47:32 UTC (rev 271786)
+++ trunk/Source/WebCore/ChangeLog 2021-01-25 08:33:14 UTC (rev 271787)
@@ -1,3 +1,16 @@
+2021-01-25 Carlos Garcia Campos <cgar...@igalia.com>
+
+ Null Ptr Deref @ WebCore::ReplaceSelectionCommand::doApply
+ https://bugs.webkit.org/show_bug.cgi?id=218493
+
+ Reviewed by Youenn Fablet.
+
+ Test: editing/execCommand/insert-image-replace-selection-crash.html
+
+ * editing/ReplaceSelectionCommand.cpp:
+ (WebCore::fragmentNeedsColorTransformed): Remove invalid assert.
+ (WebCore::ReplaceSelectionCommand::doApply): Null check insert position container node before using it.
+
2021-01-24 Simon Fraser <simon.fra...@apple.com>
[iOS WK2] theverge.com - rubber band scrolling at the top of the page causes an abrupt jump
Modified: trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp (271786 => 271787)
--- trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp 2021-01-25 00:47:32 UTC (rev 271786)
+++ trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp 2021-01-25 08:33:14 UTC (rev 271787)
@@ -528,7 +528,6 @@
// This applies to Mail and Notes when pasting from Xcode. <rdar://problem/40529867>
RefPtr<Element> editableRoot = insertionPos.rootEditableElement();
- ASSERT(editableRoot);
if (!editableRoot)
return false;
@@ -1205,9 +1204,11 @@
// our style spans and for positions inside list items
// since insertAsListItems already does the right thing.
if (!m_matchStyle && !enclosingList(insertionPos.containerNode())) {
- if (insertionPos.containerNode()->isTextNode() && insertionPos.offsetInContainerNode() && !insertionPos.atLastEditingPositionForNode()) {
- splitTextNode(*insertionPos.containerText(), insertionPos.offsetInContainerNode());
- insertionPos = firstPositionInNode(insertionPos.containerNode());
+ if (auto* containerNode = insertionPos.containerNode()) {
+ if (containerNode->isTextNode() && insertionPos.offsetInContainerNode() && !insertionPos.atLastEditingPositionForNode()) {
+ splitTextNode(*insertionPos.containerText(), insertionPos.offsetInContainerNode());
+ insertionPos = firstPositionInNode(insertionPos.containerNode());
+ }
}
if (RefPtr<Node> nodeToSplitTo = nodeToSplitToAvoidPastingIntoInlineNodesWithStyle(insertionPos)) {
@@ -1247,7 +1248,7 @@
&& blockStart && blockStart->renderer()->isListItem();
if (isInsertingIntoList)
refNode = insertAsListItems(downcast<HTMLElement>(*refNode), blockStart, insertionPos, insertedNodes);
- else {
+ else if (isEditablePosition(insertionPos)) {
insertNodeAt(*refNode, insertionPos);
insertedNodes.respondToNodeInsertion(refNode.get());
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
