Merge r175809 - Crash in WebCore::Node::getFlag

https://bugs.webkit.org/show_bug.cgi?id=137961 Reviewed by Antti Koivisto. Source/WebCore: * editing/ApplyStyleCommand.cpp: (WebCore::ApplyStyleCommand::applyBlockStyle): Null pointer check added. LayoutTests: * editing/execCommand/crash-137961-expected.txt: Added. * editing/execCommand/crash-137961.html: Added.
WebKit · Jan 5, 2015 · d7fa522 · d7fa522
1 parent e6017b7
commit d7fa522
Show file tree

Hide file tree

Showing 5 changed files with 50 additions and 0 deletions.
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2014-11-10  Csaba Osztrogonác  <ossy@webkit.org>
+
+        Crash in WebCore::Node::getFlag
+        https://bugs.webkit.org/show_bug.cgi?id=137961
+
+        Reviewed by Antti Koivisto.
+
+        * editing/execCommand/crash-137961-expected.txt: Added.
+        * editing/execCommand/crash-137961.html: Added.
+
 2014-04-25  Miyoung Shin  <myid.shin@samsung.com>
 
         Web process is crashed during dispatching touchEvent created by JS.

diff --git a/LayoutTests/editing/execCommand/crash-137961-expected.txt b/LayoutTests/editing/execCommand/crash-137961-expected.txt
@@ -0,0 +1,3 @@
+Test for bug Crash in WebCore::Node::getFlag
+
+This test passes if it doesn't crash.
diff --git a/LayoutTests/editing/execCommand/crash-137961.html b/LayoutTests/editing/execCommand/crash-137961.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html contenteditable>
+<head>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+function test() {
+    document.execCommand("selectAll", false, null);
+    document.execCommand("createlink", true, "http://www.example.com");
+    document.execCommand("removeFormat", false, null);
+    document.write("<p>Test for bug <a href=\"https://bugs.webkit.org/show_bug.cgi?id=137961\">Crash in WebCore::Node::getFlag</a></p>");
+    document.write("<p>This test passes if it doesn't crash.</p>");
+}
+</script>
+<style>
+* {
+    display:table-row-group;
+}
+</style>
+</head>
+<body onload='test();' hidden>
+</body>
+</html>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,13 @@
+2014-11-10  Csaba Osztrogonác  <ossy@webkit.org>
+
+        Crash in WebCore::Node::getFlag
+        https://bugs.webkit.org/show_bug.cgi?id=137961
+
+        Reviewed by Antti Koivisto.
+
+        * editing/ApplyStyleCommand.cpp:
+        (WebCore::ApplyStyleCommand::applyBlockStyle): Null pointer check added.
+
 2014-11-11  David Kilzer  <ddkilzer@apple.com>
 
         Protect Document in ProcessingInstruction::setXSLStyleSheet()

diff --git a/Source/WebCore/editing/ApplyStyleCommand.cpp b/Source/WebCore/editing/ApplyStyleCommand.cpp
@@ -267,6 +267,9 @@ void ApplyStyleCommand::applyBlockStyle(EditingStyle *style)
 #else
     Node* scope = highestEditableRoot(visibleStart.deepEquivalent());
 #endif
+    if (!scope)
+        return;
+
     RefPtr<Range> startRange = Range::create(document(), firstPositionInNode(scope), visibleStart.deepEquivalent().parentAnchoredEquivalent());
     RefPtr<Range> endRange = Range::create(document(), firstPositionInNode(scope), visibleEnd.deepEquivalent().parentAnchoredEquivalent());
     int startIndex = TextIterator::rangeLength(startRange.get(), true);