[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
rniwa at webkit.org
rniwa at webkit.org
Wed Dec 22 14:59:23 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 2bed6dcbc5d83d60b1c993d0e5803d1679284066
Author: rniwa at webkit.org <rniwa at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed Oct 27 00:49:45 2010 +0000
Crash in CompositeEditCommand::splitTreeToNode
https://bugs.webkit.org/show_bug.cgi?id=48349
Reviewed by Kent Tamura.
WebCore:
The bug was caused by indentIntoBlockquote's passing null pointer to splitTreeToNode.
Fixed the crash by adding early exits.
Test: editing/execCommand/indent-node-to-split-to-crash.html
* editing/CompositeEditCommand.cpp:
(WebCore::CompositeEditCommand::splitTreeToNode):
* editing/IndentOutdentCommand.cpp:
(WebCore::IndentOutdentCommand::indentIntoBlockquote):
LayoutTests:
Added a test to ensure WebKit does not crash when indenting.
* editing/execCommand/indent-node-to-split-to-crash-expected.txt: Added.
* editing/execCommand/indent-node-to-split-to-crash.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@70594 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index ed6fc8c..7e839bb 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -2,6 +2,18 @@
Reviewed by Kent Tamura.
+ Crash in CompositeEditCommand::splitTreeToNode
+ https://bugs.webkit.org/show_bug.cgi?id=48349
+
+ Added a test to ensure WebKit does not crash when indenting.
+
+ * editing/execCommand/indent-node-to-split-to-crash-expected.txt: Added.
+ * editing/execCommand/indent-node-to-split-to-crash.html: Added.
+
+2010-10-26 Ryosuke Niwa <rniwa at webkit.org>
+
+ Reviewed by Kent Tamura.
+
REGRESSION(r67170): crash in removeImplicitlyStyledElement
https://bugs.webkit.org/show_bug.cgi?id=48389
diff --git a/LayoutTests/editing/execCommand/indent-node-to-split-to-crash-expected.txt b/LayoutTests/editing/execCommand/indent-node-to-split-to-crash-expected.txt
new file mode 100644
index 0000000..c85cece
--- /dev/null
+++ b/LayoutTests/editing/execCommand/indent-node-to-split-to-crash-expected.txt
@@ -0,0 +1,2 @@
+This test ensures WebKit does not crash when intending.
+PASS
diff --git a/LayoutTests/editing/execCommand/indent-node-to-split-to-crash.html b/LayoutTests/editing/execCommand/indent-node-to-split-to-crash.html
new file mode 100644
index 0000000..407dcb0
--- /dev/null
+++ b/LayoutTests/editing/execCommand/indent-node-to-split-to-crash.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script type="text/JavaScript">
+
+function runTest() {
+ document.execCommand('usecss', null, 'false');
+
+ var div = document.getElementById('a');
+ var range = document.createRange();
+ var sNode = div.childNodes[0];
+ var eNode = div.childNodes[3];
+ range.setStart(sNode, NaN);
+ range.setEnd(eNode, NaN);
+ getSelection().removeAllRanges();
+ getSelection().addRange(range);
+
+ document.execCommand('indent', null, true);
+
+ document.body.innerHTML = 'This test ensures WebKit does not crash when intending.<br>PASS';
+
+ layoutTestController.notifyDone();
+}
+
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+</script>
+</head>
+<body onload="runTest()"><div contenteditable="" id="a"><div><br><div contenteditable="false"><table></table></div></div><blockquote><input></blockquote><br></br></div></body></html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index fa5eb85..92bb269 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -2,6 +2,23 @@
Reviewed by Kent Tamura.
+ Crash in CompositeEditCommand::splitTreeToNode
+ https://bugs.webkit.org/show_bug.cgi?id=48349
+
+ The bug was caused by indentIntoBlockquote's passing null pointer to splitTreeToNode.
+ Fixed the crash by adding early exits.
+
+ Test: editing/execCommand/indent-node-to-split-to-crash.html
+
+ * editing/CompositeEditCommand.cpp:
+ (WebCore::CompositeEditCommand::splitTreeToNode):
+ * editing/IndentOutdentCommand.cpp:
+ (WebCore::IndentOutdentCommand::indentIntoBlockquote):
+
+2010-10-26 Ryosuke Niwa <rniwa at webkit.org>
+
+ Reviewed by Kent Tamura.
+
REGRESSION(r67170): crash in removeImplicitlyStyledElement
https://bugs.webkit.org/show_bug.cgi?id=48389
diff --git a/WebCore/editing/CompositeEditCommand.cpp b/WebCore/editing/CompositeEditCommand.cpp
index a00db36..6f47fb4 100644
--- a/WebCore/editing/CompositeEditCommand.cpp
+++ b/WebCore/editing/CompositeEditCommand.cpp
@@ -1184,6 +1184,8 @@ PassRefPtr<Node> CompositeEditCommand::splitTreeToNode(Node* start, Node* end, b
RefPtr<Node> node;
for (node = start; node && node->parent() != end; node = node->parent()) {
+ if (!node->parent()->isElementNode())
+ break;
VisiblePosition positionInParent(Position(node->parent(), 0), DOWNSTREAM);
VisiblePosition positionInNode(Position(node, 0), DOWNSTREAM);
if (positionInParent != positionInNode)
diff --git a/WebCore/editing/IndentOutdentCommand.cpp b/WebCore/editing/IndentOutdentCommand.cpp
index 9642afa..7089f6f 100644
--- a/WebCore/editing/IndentOutdentCommand.cpp
+++ b/WebCore/editing/IndentOutdentCommand.cpp
@@ -99,6 +99,9 @@ void IndentOutdentCommand::indentIntoBlockquote(const Position& start, const Pos
else
nodeToSplitTo = editableRootForPosition(start);
+ if (!nodeToSplitTo)
+ return;
+
RefPtr<Node> outerBlock = (start.node() == nodeToSplitTo) ? start.node() : splitTreeToNode(start.node(), nodeToSplitTo);
if (!targetBlockquote) {
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list