Title: [94879] branches/chromium/874
- Revision
- 94879
- Author
- [email protected]
- Date
- 2011-09-09 15:47:49 -0700 (Fri, 09 Sep 2011)
Log Message
Merge 94793 - Crashes in WebCore::ReplaceSelectionCommand::doApply
https://bugs.webkit.org/show_bug.cgi?id=67762
Patch by Shinya Kawanaka <[email protected]> on 2011-09-08
Reviewed by Ryosuke Niwa.
Source/WebCore:
WebCore::enclosingBlock may return null, but its return value was not checked. This patch checks it.
Tests: editing/inserting/insert-without-enclosing-block.html
* editing/ReplaceSelectionCommand.cpp:
(WebCore::ReplaceSelectionCommand::doApply): Added null check.
LayoutTests:
WebCore::enclosingBlock may return NULL, but its return value was not checked. This patch checks it.
* editing/inserting/insert-without-enclosing-block-expected.txt: Added.
* editing/inserting/insert-without-enclosing-block.html: Added.
[email protected]
Review URL: http://codereview.chromium.org/7780011
Modified Paths
Added Paths
Diff
Copied: branches/chromium/874/LayoutTests/editing/inserting/insert-without-enclosing-block-expected.txt (from rev 94793, trunk/LayoutTests/editing/inserting/insert-without-enclosing-block-expected.txt) (0 => 94879)
--- branches/chromium/874/LayoutTests/editing/inserting/insert-without-enclosing-block-expected.txt (rev 0)
+++ branches/chromium/874/LayoutTests/editing/inserting/insert-without-enclosing-block-expected.txt 2011-09-09 22:47:49 UTC (rev 94879)
@@ -0,0 +1,3 @@
+This test ensures WebKit does not crash.
+
+PASS
Copied: branches/chromium/874/LayoutTests/editing/inserting/insert-without-enclosing-block.html (from rev 94793, trunk/LayoutTests/editing/inserting/insert-without-enclosing-block.html) (0 => 94879)
--- branches/chromium/874/LayoutTests/editing/inserting/insert-without-enclosing-block.html (rev 0)
+++ branches/chromium/874/LayoutTests/editing/inserting/insert-without-enclosing-block.html 2011-09-09 22:47:49 UTC (rev 94879)
@@ -0,0 +1,9 @@
+<feSpotLight><sub id="div" contenteditable="true"><script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+window.getSelection().setPosition(div, 0);
+document.execCommand("InsertHTML", false, "<dl>");
+
+document.writeln('This test ensures WebKit does not crash.<br><br>PASS');
+</script>
Modified: branches/chromium/874/Source/WebCore/editing/ReplaceSelectionCommand.cpp (94878 => 94879)
--- branches/chromium/874/Source/WebCore/editing/ReplaceSelectionCommand.cpp 2011-09-09 22:15:37 UTC (rev 94878)
+++ branches/chromium/874/Source/WebCore/editing/ReplaceSelectionCommand.cpp 2011-09-09 22:47:49 UTC (rev 94879)
@@ -994,7 +994,7 @@
Node* blockStart = enclosingBlock(insertionPos.deprecatedNode());
if ((isListElement(refNode.get()) || (isLegacyAppleStyleSpan(refNode.get()) && isListElement(refNode->firstChild())))
- && blockStart->renderer()->isListItem())
+ && blockStart && blockStart->renderer()->isListItem())
refNode = insertAsListItems(refNode, blockStart, insertionPos);
else
insertNodeAtAndUpdateNodesInserted(refNode, insertionPos);
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
