Crashes in WebCore::ReplaceSelectionCommand::doApply
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 8 Sep 2011 20:50:24 +0000 (20:50 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 8 Sep 2011 20:50:24 +0000 (20:50 +0000)
https://bugs.webkit.org/show_bug.cgi?id=67762

Patch by Shinya Kawanaka <shinyak@google.com> on 2011-09-08
Reviewed by Ryosuke Niwa.

Source/WebCore:

WebCore::enclosingBlock may return null, but its return value was not checked. This patch checks it.

Tests: editing/inserting/insert-without-enclosing-block.html

* editing/ReplaceSelectionCommand.cpp:
(WebCore::ReplaceSelectionCommand::doApply): Added null check.

LayoutTests:

WebCore::enclosingBlock may return NULL, but its return value was not checked. This patch checks it.

* editing/inserting/insert-without-enclosing-block-expected.txt: Added.
* editing/inserting/insert-without-enclosing-block.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@94793 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/editing/inserting/insert-without-enclosing-block-expected.txt [new file with mode: 0644]
LayoutTests/editing/inserting/insert-without-enclosing-block.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/editing/ReplaceSelectionCommand.cpp

index e69f5c9..0fbbb7e 100644 (file)
@@ -1,3 +1,15 @@
+2011-09-08  Shinya Kawanaka  <shinyak@google.com>
+
+        Crashes in WebCore::ReplaceSelectionCommand::doApply
+        https://bugs.webkit.org/show_bug.cgi?id=67762
+
+        Reviewed by Ryosuke Niwa.
+
+        WebCore::enclosingBlock may return NULL, but its return value was not checked. This patch checks it.
+
+        * editing/inserting/insert-without-enclosing-block-expected.txt: Added.
+        * editing/inserting/insert-without-enclosing-block.html: Added.
+
 2011-09-08  Nate Chapin  <japhet@chromium.org>
 
         Chromium baselines for new tests added in r94775 and r94779.
diff --git a/LayoutTests/editing/inserting/insert-without-enclosing-block-expected.txt b/LayoutTests/editing/inserting/insert-without-enclosing-block-expected.txt
new file mode 100644 (file)
index 0000000..c07c641
--- /dev/null
@@ -0,0 +1,3 @@
+This test ensures WebKit does not crash.
+
+PASS
diff --git a/LayoutTests/editing/inserting/insert-without-enclosing-block.html b/LayoutTests/editing/inserting/insert-without-enclosing-block.html
new file mode 100644 (file)
index 0000000..38f9d71
--- /dev/null
@@ -0,0 +1,9 @@
+<feSpotLight><sub id="div" contenteditable="true"><script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+window.getSelection().setPosition(div, 0);
+document.execCommand("InsertHTML", false, "<dl>");
+
+document.writeln('This test ensures WebKit does not crash.<br><br>PASS');
+</script>
index a078ecd..ef86839 100644 (file)
@@ -1,3 +1,17 @@
+2011-09-08  Shinya Kawanaka  <shinyak@google.com>
+
+        Crashes in WebCore::ReplaceSelectionCommand::doApply
+        https://bugs.webkit.org/show_bug.cgi?id=67762
+
+        Reviewed by Ryosuke Niwa.
+
+        WebCore::enclosingBlock may return null, but its return value was not checked. This patch checks it.
+
+        Tests: editing/inserting/insert-without-enclosing-block.html
+
+        * editing/ReplaceSelectionCommand.cpp:
+        (WebCore::ReplaceSelectionCommand::doApply): Added null check.
+
 2011-09-08  Sheriff Bot  <webkit.review.bot@gmail.com>
 
         Unreviewed, rolling out r94784.
index 7697ead..4c58f6c 100644 (file)
@@ -994,7 +994,7 @@ void ReplaceSelectionCommand::doApply()
 
     Node* blockStart = enclosingBlock(insertionPos.deprecatedNode());
     if ((isListElement(refNode.get()) || (isLegacyAppleStyleSpan(refNode.get()) && isListElement(refNode->firstChild())))
-        && blockStart->renderer()->isListItem())
+        && blockStart && blockStart->renderer()->isListItem())
         refNode = insertAsListItems(refNode, blockStart, insertionPos);
     else
         insertNodeAtAndUpdateNodesInserted(refNode, insertionPos);