ASSERT_WITH_SECURITY_IMPLICATION in WebCore::toElement
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 15 Feb 2014 08:57:21 +0000 (08:57 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 15 Feb 2014 08:57:21 +0000 (08:57 +0000)
https://bugs.webkit.org/show_bug.cgi?id=128810

Patch by Renata Hodovan <rhodovan.u-szeged@partner.samsung.com> on 2014-02-15
Reviewed by Ryosuke Niwa.

Source/WebCore:

Make CompositeEditCommand::cloneParagraphUnderNewElement() to work when |outerNode|
doesn't contain |start|.

Before this patch, CompositeEditCommand::cloneParagraphUnderNewElement() tried to copy
ancestry nodes from |start| to Document node when |start| position isn't in |outerNode|. This
patch changes CompositeEditCommand::cloneParagraphUnderNewElement() to copy |start| to
|outerNode| only if |outerNode| contains |start| position.

Merged from Blink https://src.chromium.org/viewvc/blink?revision=161762&view=revision by yosin@chromium.org.

Test: editing/execCommand/indent-with-uneditable-crash.html

* editing/CompositeEditCommand.cpp:
(WebCore::CompositeEditCommand::cloneParagraphUnderNewElement):

LayoutTests:

* editing/execCommand/indent-with-uneditable-crash-expected.txt: Added.
* editing/execCommand/indent-with-uneditable-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@164170 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/editing/execCommand/indent-with-uneditable-crash-expected.txt [new file with mode: 0644]
LayoutTests/editing/execCommand/indent-with-uneditable-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/editing/CompositeEditCommand.cpp

index e7c4cb3..aba1e9d 100644 (file)
@@ -1,3 +1,13 @@
+2014-02-15  Renata Hodovan  <rhodovan.u-szeged@partner.samsung.com>
+
+        ASSERT_WITH_SECURITY_IMPLICATION in WebCore::toElement
+        https://bugs.webkit.org/show_bug.cgi?id=128810
+
+        Reviewed by Ryosuke Niwa.
+
+        * editing/execCommand/indent-with-uneditable-crash-expected.txt: Added.
+        * editing/execCommand/indent-with-uneditable-crash.html: Added.
+
 2014-02-15  Samuel White  <samuel_white@apple.com>
 
         AX: Add ability to specify descendant type when using AXUIElementsForSearchPredicate.
diff --git a/LayoutTests/editing/execCommand/indent-with-uneditable-crash-expected.txt b/LayoutTests/editing/execCommand/indent-with-uneditable-crash-expected.txt
new file mode 100644 (file)
index 0000000..0383162
--- /dev/null
@@ -0,0 +1 @@
+Test passes if it does not crash.
diff --git a/LayoutTests/editing/execCommand/indent-with-uneditable-crash.html b/LayoutTests/editing/execCommand/indent-with-uneditable-crash.html
new file mode 100644 (file)
index 0000000..9c8e9bc
--- /dev/null
@@ -0,0 +1,15 @@
+<body contenteditable="true">
+    <select></select>
+    <form>
+        <i contenteditable="false"></i>
+        <dfn></dfn></form><hr>
+       
+       <script type="text/javascript"> 
+           if (window.testRunner)
+               testRunner.dumpAsText();
+
+           document.execCommand("selectall");
+           document.execCommand("indent");
+           document.body.innerHTML = "Test passes if it does not crash.";
+       </script>
+</body>
index 6f17e53..5e4844b 100644 (file)
@@ -1,3 +1,25 @@
+2014-02-15  Renata Hodovan  <rhodovan.u-szeged@partner.samsung.com>
+
+        ASSERT_WITH_SECURITY_IMPLICATION in WebCore::toElement
+        https://bugs.webkit.org/show_bug.cgi?id=128810
+
+        Reviewed by Ryosuke Niwa.
+
+        Make CompositeEditCommand::cloneParagraphUnderNewElement() to work when |outerNode|
+        doesn't contain |start|.
+
+        Before this patch, CompositeEditCommand::cloneParagraphUnderNewElement() tried to copy
+        ancestry nodes from |start| to Document node when |start| position isn't in |outerNode|. This
+        patch changes CompositeEditCommand::cloneParagraphUnderNewElement() to copy |start| to
+        |outerNode| only if |outerNode| contains |start| position.
+
+        Merged from Blink https://src.chromium.org/viewvc/blink?revision=161762&view=revision by yosin@chromium.org.
+
+        Test: editing/execCommand/indent-with-uneditable-crash.html
+
+        * editing/CompositeEditCommand.cpp:
+        (WebCore::CompositeEditCommand::cloneParagraphUnderNewElement):
+
 2014-02-15  Samuel White  <samuel_white@apple.com>
 
         AX: Add ability to specify descendant type when using AXUIElementsForSearchPredicate.
index e7ce57b..314283d 100644 (file)
@@ -1061,7 +1061,7 @@ void CompositeEditCommand::cloneParagraphUnderNewElement(Position& start, Positi
         appendNode(lastNode, blockElement);
     }
 
-    if (start.deprecatedNode() != outerNode && lastNode->isElementNode()) {
+    if (start.deprecatedNode() != outerNode && lastNode->isElementNode() && start.anchorNode()->isDescendantOf(outerNode.get())) {
         Vector<RefPtr<Node>> ancestors;
         
         // Insert each node from innerNode to outerNode (excluded) in a list.