Title: [269609] trunk
- Revision
- 269609
- Author
- commit-qu...@webkit.org
- Date
- 2020-11-09 15:47:51 -0800 (Mon, 09 Nov 2020)
Log Message
Null dereference in CompositeEditCommand::splitTreeToNode() due to not checking for top of DOM tree
https://bugs.webkit.org/show_bug.cgi?id=218215
Patch by Julian Gonzalez <julian_a_gonza...@apple.com> on 2020-11-09
Reviewed by Ryosuke Niwa.
Source/WebCore:
Add a check for a non-existent parent node when splitting a tree, and fix up
a caller to not pass a node without a parent node.
Test: editing/inserting/insert-list-in-iframe-in-list.html
* editing/CompositeEditCommand.cpp:
(WebCore::CompositeEditCommand::moveParagraphs):
* editing/InsertListCommand.cpp:
(WebCore::InsertListCommand::unlistifyParagraph):
LayoutTests:
Add layout test that catches crash during insertion of a list inside an iframe
(that itself is inside of a list).
* editing/inserting/insert-list-in-iframe-in-list-expected.txt: Added.
* editing/inserting/insert-list-in-iframe-in-list.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (269608 => 269609)
--- trunk/LayoutTests/ChangeLog 2020-11-09 23:40:39 UTC (rev 269608)
+++ trunk/LayoutTests/ChangeLog 2020-11-09 23:47:51 UTC (rev 269609)
@@ -1,3 +1,16 @@
+2020-11-09 Julian Gonzalez <julian_a_gonza...@apple.com>
+
+ Null dereference in CompositeEditCommand::splitTreeToNode() due to not checking for top of DOM tree
+ https://bugs.webkit.org/show_bug.cgi?id=218215
+
+ Reviewed by Ryosuke Niwa.
+
+ Add layout test that catches crash during insertion of a list inside an iframe
+ (that itself is inside of a list).
+
+ * editing/inserting/insert-list-in-iframe-in-list-expected.txt: Added.
+ * editing/inserting/insert-list-in-iframe-in-list.html: Added.
+
2020-11-09 Truitt Savell <tsav...@apple.com>
REGRESSION: [ Mac ] media/video-buffering-allowed.html is flaky timeout
Added: trunk/LayoutTests/editing/inserting/insert-list-in-iframe-in-list-expected.txt (0 => 269609)
--- trunk/LayoutTests/editing/inserting/insert-list-in-iframe-in-list-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-list-in-iframe-in-list-expected.txt 2020-11-09 23:47:51 UTC (rev 269609)
@@ -0,0 +1,5 @@
+
+
+This tests that we do not crash while inserting either list.
+
+PASS
Added: trunk/LayoutTests/editing/inserting/insert-list-in-iframe-in-list.html (0 => 269609)
--- trunk/LayoutTests/editing/inserting/insert-list-in-iframe-in-list.html (rev 0)
+++ trunk/LayoutTests/editing/inserting/insert-list-in-iframe-in-list.html 2020-11-09 23:47:51 UTC (rev 269609)
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<head>
+<script>
+function testonload() {
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ document.getSelection().setBaseAndExtent(dd, 0, iframe, 0);
+ document.execCommand("insertOrderedList", false);
+}
+function iframehandler() {
+ document.execCommand("insertUnorderedList", false);
+}
+</script>
+</head>
+<body _onload_=testonload()>
+ <dd id="dd" contenteditable="true">
+ <li>
+ <iframe id="iframe" _onload_="iframehandler()"></iframe>
+ </li>
+ </dd>
+ <p>This tests that we do not crash while inserting either list.</p>
+ PASS
+</body>
+</html>
\ No newline at end of file
Modified: trunk/Source/WebCore/ChangeLog (269608 => 269609)
--- trunk/Source/WebCore/ChangeLog 2020-11-09 23:40:39 UTC (rev 269608)
+++ trunk/Source/WebCore/ChangeLog 2020-11-09 23:47:51 UTC (rev 269609)
@@ -1,3 +1,20 @@
+2020-11-09 Julian Gonzalez <julian_a_gonza...@apple.com>
+
+ Null dereference in CompositeEditCommand::splitTreeToNode() due to not checking for top of DOM tree
+ https://bugs.webkit.org/show_bug.cgi?id=218215
+
+ Reviewed by Ryosuke Niwa.
+
+ Add a check for a non-existent parent node when splitting a tree, and fix up
+ a caller to not pass a node without a parent node.
+
+ Test: editing/inserting/insert-list-in-iframe-in-list.html
+
+ * editing/CompositeEditCommand.cpp:
+ (WebCore::CompositeEditCommand::moveParagraphs):
+ * editing/InsertListCommand.cpp:
+ (WebCore::InsertListCommand::unlistifyParagraph):
+
2020-11-09 Wenson Hsieh <wenson_hs...@apple.com>
Rename ImageBuffer::flushDisplayList to ImageBuffer::submitDisplayList
Modified: trunk/Source/WebCore/editing/CompositeEditCommand.cpp (269608 => 269609)
--- trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2020-11-09 23:40:39 UTC (rev 269608)
+++ trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2020-11-09 23:47:51 UTC (rev 269609)
@@ -1714,7 +1714,7 @@
ASSERT(adjustedEnd);
RefPtr<Node> node;
for (node = &start; node && node->parentNode() != adjustedEnd; node = node->parentNode()) {
- if (!is<Element>(*node->parentNode()))
+ if (!node->parentNode() || !is<Element>(*node->parentNode()))
break;
// Do not split a node when doing so introduces an empty node.
VisiblePosition positionInParent = firstPositionInNode(node->parentNode());
Modified: trunk/Source/WebCore/editing/InsertListCommand.cpp (269608 => 269609)
--- trunk/Source/WebCore/editing/InsertListCommand.cpp 2020-11-09 23:40:39 UTC (rev 269608)
+++ trunk/Source/WebCore/editing/InsertListCommand.cpp 2020-11-09 23:47:51 UTC (rev 269609)
@@ -321,7 +321,7 @@
// in listNode that comes before listChildNode, as listChildNode could have ancestors
// between it and listNode. So, we split up to listNode before inserting the placeholder
// where we're about to move listChildNode to.
- if (listChildNode->parentNode() != listNode)
+ if (auto listChildNodeParentNode = makeRefPtr(listChildNode->parentNode()); listChildNodeParentNode && listChildNodeParentNode != listNode)
splitElement(*listNode, *splitTreeToNode(*listChildNode, *listNode).get());
insertNodeBefore(nodeToInsert.releaseNonNull(), *listNode);
} else
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
