[webkit-changes] [273380] trunk

Wed, 24 Feb 2021 04:54:39 -0800

Title: [273380] trunk
Revision
273380
Author
svil...@igalia.com
Date
2021-02-24 04:53:56 -0800 (Wed, 24 Feb 2021)

Log Message

Nullptr crash in ApplyStyleCommand::applyRelativeFontStyleChange
https://bugs.webkit.org/show_bug.cgi?id=221393

Reviewed by Ryosuke Niwa.

Source/WebCore:

Applying a font style change over a range of nodes might change the node tree because in some cases
a span element needs to be created to wrap nodes so they could be styled. Apart from that consecutive
identical span nodes could be merged together. This means that the loop that iterates over a range
of nodes might actually surpass the end node if that end node was merged into some other.

Test: editing/execCommand/font-size-delta-crash.html

* editing/ApplyStyleCommand.cpp:
(WebCore::ApplyStyleCommand::applyRelativeFontStyleChange): Exit the loop if the iterator becomes a
child of the beyondEnd node because the latter was merged into the node that wraps the iterator.

LayoutTests:

* editing/execCommand/font-size-delta-crash-expected.txt: Added.
* editing/execCommand/font-size-delta-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (273379 => 273380)


--- trunk/LayoutTests/ChangeLog	2021-02-24 11:43:22 UTC (rev 273379)
+++ trunk/LayoutTests/ChangeLog	2021-02-24 12:53:56 UTC (rev 273380)
@@ -1,3 +1,13 @@
+2021-02-17  Sergio Villar Senin  <svil...@igalia.com>
+
+        Nullptr crash in ApplyStyleCommand::applyRelativeFontStyleChange
+        https://bugs.webkit.org/show_bug.cgi?id=221393
+
+        Reviewed by Ryosuke Niwa.
+
+        * editing/execCommand/font-size-delta-crash-expected.txt: Added.
+        * editing/execCommand/font-size-delta-crash.html: Added.
+
 2021-02-24  Frederic Wang  <fw...@igalia.com>
 
         Nullptr crash in CompositeEditCommand::splitTreeToNode via InsertParagraphSeparatorCommand::doApply

Added: trunk/LayoutTests/editing/execCommand/font-size-delta-crash-expected.txt (0 => 273380)


--- trunk/LayoutTests/editing/execCommand/font-size-delta-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/execCommand/font-size-delta-crash-expected.txt	2021-02-24 12:53:56 UTC (rev 273380)
@@ -0,0 +1,2 @@
+// <-- magic whitespace _onload_ = () => { document.querySelector('script').appendChild(document.createElement('span')); document.execCommand('FindString', false, 'a'); document.execCommand('FontSizeDelta', false, '1'); }; if (window.testRunner) testRunner.dumpAsText();
+The test PASS if it does not CRASH.
Property changes on: trunk/LayoutTests/editing/execCommand/font-size-delta-crash-expected.txt
___________________________________________________________________

Added: svn:eol-style

+LF \ No newline at end of property

Added: trunk/LayoutTests/editing/execCommand/font-size-delta-crash.html (0 => 273380)


--- trunk/LayoutTests/editing/execCommand/font-size-delta-crash.html	                        (rev 0)
+++ trunk/LayoutTests/editing/execCommand/font-size-delta-crash.html	2021-02-24 12:53:56 UTC (rev 273380)
@@ -0,0 +1,23 @@
+<style>
+head, script, span {
+    display: block;
+}
+head {
+    -webkit-user-modify: read-write-plaintext-only;
+}
+script::first-letter {
+    --font-size-ch: 0;
+}
+</style>
+<script>
+    // <-- magic whitespace
+_onload_ = () => {
+  document.querySelector('script').appendChild(document.createElement('span'));
+  document.execCommand('FindString', false, 'a');
+  document.execCommand('FontSizeDelta', false, '1');
+};
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<p>The test PASS if it does not CRASH.</p>
+
Property changes on: trunk/LayoutTests/editing/execCommand/font-size-delta-crash.html
___________________________________________________________________

Added: svn:eol-style

+LF \ No newline at end of property

Added: svn:mime-type

+text/html \ No newline at end of property

Modified: trunk/Source/WebCore/ChangeLog (273379 => 273380)


--- trunk/Source/WebCore/ChangeLog	2021-02-24 11:43:22 UTC (rev 273379)
+++ trunk/Source/WebCore/ChangeLog	2021-02-24 12:53:56 UTC (rev 273380)
@@ -1,3 +1,21 @@
+2021-02-17  Sergio Villar Senin  <svil...@igalia.com>
+
+        Nullptr crash in ApplyStyleCommand::applyRelativeFontStyleChange
+        https://bugs.webkit.org/show_bug.cgi?id=221393
+
+        Reviewed by Ryosuke Niwa.
+
+        Applying a font style change over a range of nodes might change the node tree because in some cases
+        a span element needs to be created to wrap nodes so they could be styled. Apart from that consecutive
+        identical span nodes could be merged together. This means that the loop that iterates over a range
+        of nodes might actually surpass the end node if that end node was merged into some other.
+
+        Test: editing/execCommand/font-size-delta-crash.html
+
+        * editing/ApplyStyleCommand.cpp:
+        (WebCore::ApplyStyleCommand::applyRelativeFontStyleChange): Exit the loop if the iterator becomes a
+        child of the beyondEnd node because the latter was merged into the node that wraps the iterator.
+
 2021-02-24  Carlos Garcia Campos  <cgar...@igalia.com>
 
         [SOUP3] Use soup_auth_get_authority() to set the ProtectionSpace host and port

Modified: trunk/Source/WebCore/editing/ApplyStyleCommand.cpp (273379 => 273380)


--- trunk/Source/WebCore/editing/ApplyStyleCommand.cpp	2021-02-24 11:43:22 UTC (rev 273379)
+++ trunk/Source/WebCore/editing/ApplyStyleCommand.cpp	2021-02-24 12:53:56 UTC (rev 273380)
@@ -378,7 +378,8 @@
     Vector<Ref<HTMLElement>> unstyledSpans;
     
     Node* lastStyledNode = nullptr;
-    for (Node* node = startNode; node != beyondEnd; node = NodeTraversal::next(*node)) {
+    bool reachedEnd = false;
+    for (auto node = makeRefPtr(startNode); node != beyondEnd && !reachedEnd; node = NodeTraversal::next(*node)) {
         ASSERT(node);
         RefPtr<HTMLElement> element;
         if (is<HTMLElement>(*node)) {
@@ -391,20 +392,21 @@
             // text node. To make this possible, add a style span to surround this text node.
             auto span = createStyleSpanElement(document());
             surroundNodeRangeWithElement(*node, *node, span.copyRef());
+            reachedEnd = node->isDescendantOf(beyondEnd);
             element = WTFMove(span);
         }  else {
             // Only handle HTML elements and text nodes.
             continue;
         }
-        lastStyledNode = node;
+        lastStyledNode = node.get();
 
         RefPtr<MutableStyleProperties> inlineStyle = copyStyleOrCreateEmpty(element->inlineStyle());
-        float currentFontSize = computedFontSize(node);
-        float desiredFontSize = std::max(MinimumFontSize, startingFontSizes.get(node) + style->fontSizeDelta());
+        float currentFontSize = computedFontSize(node.get());
+        float desiredFontSize = std::max(MinimumFontSize, startingFontSizes.get(node.get()) + style->fontSizeDelta());
         RefPtr<CSSValue> value = inlineStyle->getPropertyCSSValue(CSSPropertyFontSize);
         if (value) {
             element->removeInlineStyleProperty(CSSPropertyFontSize);
-            currentFontSize = computedFontSize(node);
+            currentFontSize = computedFontSize(node.get());
         }
         if (currentFontSize != desiredFontSize) {
             inlineStyle->setProperty(CSSPropertyFontSize, CSSValuePool::singleton().createValue(desiredFontSize, CSSUnitType::CSS_PX), false);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to