Skip to content
Permalink
Browse files
Crash in InsertParagraphSeparatorCommand::doApply
https://bugs.webkit.org/show_bug.cgi?id=224977

Patch by Frédéric Wang <fwang@igalia.com> on 2021-07-26
Reviewed by Ryosuke Niwa.

Source/WebCore:

Because <html> elements are handled specially in Position::isCandidate() (a) and
PositionIterator::isCandidate() (b), the function InsertParagraphSeparatorCommand::doApply()
may end up in a edge case where the startBlock is a sibling of the visible position per (a)
but isFirstInBlock,isLastInBlock is true,false per (b). This leads to hitting the debug
assertion ASSERT(startBlock->firstChild()) and dereferencing a nullptr pointer in release.
This patch fixes that by exiting early if the visible position is not a descendant of the
start block.

Test: editing/inserting/insert-paragraph-separator-with-html-elements-crash.html

* editing/InsertParagraphSeparatorCommand.cpp:
(WebCore::InsertParagraphSeparatorCommand::doApply):

LayoutTests:

Add regression test.

* editing/inserting/insert-paragraph-separator-with-html-elements-crash-expected.txt: Added.
* editing/inserting/insert-paragraph-separator-with-html-elements-crash.html: Added.

Canonical link: https://commits.webkit.org/239962@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@280312 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
fred-wang authored and webkit-commit-queue committed Jul 26, 2021
1 parent 5e44a77 commit 5ba956ff548ebc6ebadcf790eb6f5d5e94bde610
Showing 5 changed files with 84 additions and 0 deletions.
@@ -1,3 +1,15 @@
2021-07-26 Frédéric Wang <fwang@igalia.com>

Crash in InsertParagraphSeparatorCommand::doApply
https://bugs.webkit.org/show_bug.cgi?id=224977

Reviewed by Ryosuke Niwa.

Add regression test.

* editing/inserting/insert-paragraph-separator-with-html-elements-crash-expected.txt: Added.
* editing/inserting/insert-paragraph-separator-with-html-elements-crash.html: Added.

2021-07-26 Johnson Zhou <qiaosong_zhou@apple.com>

Added support for FormDataEvent. Rebaselined.
@@ -0,0 +1,3 @@
CONSOLE MESSAGE: The test PASS if it does not crash.
0

@@ -0,0 +1,46 @@
<!DOCTYPE html>
<script type="text/javascript">
if (window.testRunner)
testRunner.dumpAsText();
console.log('The test PASS if it does not crash.')
requestAnimationFrame(function() {
document.documentElement.addEventListener("DOMNodeRemoved", function() {
document.execCommand("SelectAll");
window.getSelection().
getRangeAt(0).surroundContents(document.head.firstElementChild);
document.body.insertAdjacentHTML('beforeend', "");
}, {once: true});
document.documentElement.innerHTML = '';

window.getSelection().deleteFromDocument();
document.documentElement.appendChild(document.documentElement.cloneNode());
var oElement = document.documentElement.firstElementChild;
oElement.contentEditable = true;

document.documentElement.addEventListener("DOMNodeRemoved", function() {
var el = document.documentElement.firstElementChild;
document.documentElement.appendChild(el);
el = document.importNode(el);
document.documentElement.appendChild(el);
el.insertAdjacentHTML('beforeend', "<svg></svg><svg></svg>[");
}, {once: true});
document.documentElement.
replaceChild(document.createElement('div'), oElement);

document.documentElement.appendChild(oElement);
window.getSelection().collapseToStart();
try {
window.getSelection().getRangeAt(0).
surroundContents(document.documentElement.firstElementChild);
} catch (e) {}
document.execCommand('InsertOrderedList');
oElement = document.documentElement.firstElementChild;
oElement.insertAdjacentText('afterend', '0');
document.documentElement.appendChild(document.importNode(oElement));

document.addEventListener("DOMNodeRemoved", function() {
document.execCommand('InsertParagraph');
}, {once: true});
oElement.outerHTML = "";
})
</script>
@@ -1,3 +1,23 @@
2021-07-26 Frédéric Wang <fwang@igalia.com>

Crash in InsertParagraphSeparatorCommand::doApply
https://bugs.webkit.org/show_bug.cgi?id=224977

Reviewed by Ryosuke Niwa.

Because <html> elements are handled specially in Position::isCandidate() (a) and
PositionIterator::isCandidate() (b), the function InsertParagraphSeparatorCommand::doApply()
may end up in a edge case where the startBlock is a sibling of the visible position per (a)
but isFirstInBlock,isLastInBlock is true,false per (b). This leads to hitting the debug
assertion ASSERT(startBlock->firstChild()) and dereferencing a nullptr pointer in release.
This patch fixes that by exiting early if the visible position is not a descendant of the
start block.

Test: editing/inserting/insert-paragraph-separator-with-html-elements-crash.html

* editing/InsertParagraphSeparatorCommand.cpp:
(WebCore::InsertParagraphSeparatorCommand::doApply):

2021-07-26 Johnson Zhou <qiaosong_zhou@apple.com>

FormDataEvent added, and dispatched upon creation of DOMFormData or submission of HTMLFormElement.
@@ -187,6 +187,9 @@ void InsertParagraphSeparatorCommand::doApply()
if (visiblePos.isNull())
return;

if (!startBlock->contains(visiblePos.deepEquivalent().containerNode()))
return;

calculateStyleBeforeInsertion(insertionPosition);

//---------------------------------------------------------------------

0 comments on commit 5ba956f

Please sign in to comment.