Merge r249854 - Crash under WebCore::firstPositionInNode()

https://bugs.webkit.org/show_bug.cgi?id=201764 <rdar://problem/54823754> Reviewed by Wenson Hsieh and Geoff Garen. Make sure to keep a Ref<> to the textNode when we call insertNodeAtTabSpanPosition() or insertNodeAt(). Test: editing/firstPositionInNode-crash.html * editing/InsertTextCommand.cpp: (WebCore::InsertTextCommand::positionInsideTextNode):
WebKit · Sep 23, 2019 · 5622563 · 5622563
1 parent acd6c77
commit 5622563
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 6 deletions.
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2019-09-13  Chris Dumez  <cdumez@apple.com>
+
+        Crash under WebCore::firstPositionInNode()
+        https://bugs.webkit.org/show_bug.cgi?id=201764
+        <rdar://problem/54823754>
+
+        Reviewed by Wenson Hsieh and Geoff Garen.
+
+        Make sure to keep a Ref<> to the textNode when we call insertNodeAtTabSpanPosition()
+        or insertNodeAt().
+
+        Test: editing/firstPositionInNode-crash.html
+
+        * editing/InsertTextCommand.cpp:
+        (WebCore::InsertTextCommand::positionInsideTextNode):
+
 2019-09-11  Ali Juma  <ajuma@chromium.org>
 
         Prevent reentrancy FrameLoader::dispatchUnloadEvents()

diff --git a/Source/WebCore/editing/InsertTextCommand.cpp b/Source/WebCore/editing/InsertTextCommand.cpp
@@ -59,18 +59,16 @@ Position InsertTextCommand::positionInsideTextNode(const Position& p)
     Position pos = p;
     if (isTabSpanTextNode(pos.anchorNode())) {
         auto textNode = document().createEditingTextNode(emptyString());
-        auto* textNodePtr = textNode.ptr();
-        insertNodeAtTabSpanPosition(WTFMove(textNode), pos);
-        return firstPositionInNode(textNodePtr);
+        insertNodeAtTabSpanPosition(textNode.copyRef(), pos);
+        return firstPositionInNode(textNode.ptr());
     }
 
     // Prepare for text input by looking at the specified position.
     // It may be necessary to insert a text node to receive characters.
     if (!pos.containerNode()->isTextNode()) {
         auto textNode = document().createEditingTextNode(emptyString());
-        auto* textNodePtr = textNode.ptr();
-        insertNodeAt(WTFMove(textNode), pos);
-        return firstPositionInNode(textNodePtr);
+        insertNodeAt(textNode.copyRef(), pos);
+        return firstPositionInNode(textNode.ptr());
     }
 
     return pos;