Skip to content

Commit 298b8d2

Browse files
Ian Gilbertwebkit-commit-queue
authored andcommitted
Nullptr deref in CompositeEditCommand::isRemovableBlock in DeleteSelectionCommand::removeRedundantBlocks
https://bugs.webkit.org/show_bug.cgi?id=224518 Patch by Ian Gilbert <iang@apple.com> on 2021-04-16 Reviewed by Ryosuke Niwa. Source/WebCore: Add null check in case node is removed while iterating over tree. Test: editing/execCommand/remove-node-during-command-crash.html * editing/DeleteSelectionCommand.cpp: (WebCore::DeleteSelectionCommand::removeRedundantBlocks): LayoutTests: Add a regression test. * editing/execCommand/remove-node-during-command-crash-expected.txt: Added. * editing/execCommand/remove-node-during-command-crash.html: Added. Canonical link: https://commits.webkit.org/236668@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@276186 268f45cc-cd09-0410-ab3c-d52691b4dbfc
1 parent 4f53c98 commit 298b8d2

5 files changed

Lines changed: 58 additions & 4 deletions

File tree

LayoutTests/ChangeLog

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,15 @@
1+
2021-04-16 Ian Gilbert <iang@apple.com>
2+
3+
Nullptr deref in CompositeEditCommand::isRemovableBlock in DeleteSelectionCommand::removeRedundantBlocks
4+
https://bugs.webkit.org/show_bug.cgi?id=224518
5+
6+
Reviewed by Ryosuke Niwa.
7+
8+
Add a regression test.
9+
10+
* editing/execCommand/remove-node-during-command-crash-expected.txt: Added.
11+
* editing/execCommand/remove-node-during-command-crash.html: Added.
12+
113
2021-04-16 Cameron McCormack <heycam@apple.com>
214

315
Place vertical scrollbars at (inline/block)-end edge in all writing modes.
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Test passes if it does not crash PASS
Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
<style>
2+
br {
3+
content: '';
4+
}
5+
</style>
6+
<script>
7+
onload = () => {
8+
9+
if (window.testRunner)
10+
testRunner.dumpAsText();
11+
12+
document.designMode = 'on';
13+
document.execCommand('SelectAll');
14+
document.execCommand('InsertImage', false, '#');
15+
let ifr0 = document.createElement('iframe');
16+
document.body.appendChild(ifr0);
17+
ifr0.onload = () => {
18+
document.execCommand('JustifyRight');
19+
};
20+
document.execCommand('InsertParagraph');
21+
getSelection().extend(document.body);
22+
document.execCommand('InsertParagraph');
23+
24+
document.write('Test passes if it does not crash\n');
25+
document.write('PASS');
26+
};
27+
</script>

Source/WebCore/ChangeLog

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,17 @@
1+
2021-04-16 Ian Gilbert <iang@apple.com>
2+
3+
Nullptr deref in CompositeEditCommand::isRemovableBlock in DeleteSelectionCommand::removeRedundantBlocks
4+
https://bugs.webkit.org/show_bug.cgi?id=224518
5+
6+
Reviewed by Ryosuke Niwa.
7+
8+
Add null check in case node is removed while iterating over tree.
9+
10+
Test: editing/execCommand/remove-node-during-command-crash.html
11+
12+
* editing/DeleteSelectionCommand.cpp:
13+
(WebCore::DeleteSelectionCommand::removeRedundantBlocks):
14+
115
2021-04-16 Cameron McCormack <heycam@apple.com>
216

317
Place vertical scrollbars at (inline/block)-end edge in all writing modes.

Source/WebCore/editing/DeleteSelectionCommand.cpp

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -865,11 +865,11 @@ String DeleteSelectionCommand::originalStringForAutocorrectionAtBeginningOfSelec
865865
// This method removes div elements with no attributes that have only one child or no children at all.
866866
void DeleteSelectionCommand::removeRedundantBlocks()
867867
{
868-
Node* node = m_endingPosition.containerNode();
869-
Node* rootNode = node->rootEditableElement();
868+
auto node = makeRefPtr(m_endingPosition.containerNode());
869+
auto rootNode = makeRefPtr(node->rootEditableElement());
870870

871-
while (node != rootNode) {
872-
if (isRemovableBlock(node)) {
871+
while (node && node != rootNode) {
872+
if (isRemovableBlock(node.get())) {
873873
if (node == m_endingPosition.anchorNode())
874874
updatePositionForNodeRemovalPreservingChildren(m_endingPosition, *node);
875875

0 commit comments

Comments
 (0)