[crash] Renderer crashes when spell checking a disabled input field.
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 16 Jan 2012 11:31:38 +0000 (11:31 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 16 Jan 2012 11:31:38 +0000 (11:31 +0000)
https://bugs.webkit.org/show_bug.cgi?id=75941

Patch by Shinya Kawanaka <shinyak@google.com> on 2012-01-16
Reviewed by Hajime Morita.

.:

* ManualTests/editing-disabled-node-replace-crash.html: Added.

Source/WebCore:

We confirm the selection is editable before replacing text.

Tests: ManualTests/editing-disabled-node-replace-crash.html

* editing/Editor.cpp:
(WebCore::Editor::replaceSelectionWithFragment):
* editing/ReplaceSelectionCommand.cpp:
(WebCore::ReplaceSelectionCommand::doApply):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@105050 268f45cc-cd09-0410-ab3c-d52691b4dbfc

ChangeLog
ManualTests/editing-disabled-node-replace-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/editing/Editor.cpp
Source/WebCore/editing/ReplaceSelectionCommand.cpp

index 3493d39..ff57c81 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2012-01-16  Shinya Kawanaka  <shinyak@google.com>
+
+        [crash] Renderer crashes when spell checking a disabled input field.
+        https://bugs.webkit.org/show_bug.cgi?id=75941
+
+        Reviewed by Hajime Morita.
+
+        * ManualTests/editing-disabled-node-replace-crash.html: Added.
+
 2012-01-13  Simon Fraser  <simon.fraser@apple.com>
 
         Unmatched transparency layer begin/end on a filtered element with an opacity ancestor
diff --git a/ManualTests/editing-disabled-node-replace-crash.html b/ManualTests/editing-disabled-node-replace-crash.html
new file mode 100644 (file)
index 0000000..970ccb6
--- /dev/null
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+
+<html>
+<head>
+    <title>Replacing text should not crash.</title>
+</head>
+<body>
+    <p>Manual test for fix <a href="https://bugs.webkit.org/show_bug.cgi?id=75941">Bug 75941</a></p>
+    <p>Right click the following input text, and replace the misspelled text [zz] to something.</p>
+    <p>Renderer should not crash in that operation.</p>
+    <input id="input" disabled value="zz">
+</body>
+</html>
index 9b4b9f7..5602a6e 100644 (file)
@@ -1,3 +1,19 @@
+2012-01-16  Shinya Kawanaka  <shinyak@google.com>
+
+        [crash] Renderer crashes when spell checking a disabled input field.
+        https://bugs.webkit.org/show_bug.cgi?id=75941
+
+        Reviewed by Hajime Morita.
+
+        We confirm the selection is editable before replacing text.
+
+        Tests: ManualTests/editing-disabled-node-replace-crash.html
+
+        * editing/Editor.cpp:
+        (WebCore::Editor::replaceSelectionWithFragment):
+        * editing/ReplaceSelectionCommand.cpp:
+        (WebCore::ReplaceSelectionCommand::doApply):
+
 2012-01-16  Pablo Flouret  <pablof@motorola.com>
 
         Fix compilation errors on build-webkit --debug --no-svg --no-svg-fonts --no-svg-dom-objc-bindings on mac.
index 282c7ef..a5a3ea5 100644 (file)
@@ -400,7 +400,7 @@ bool Editor::shouldInsertFragment(PassRefPtr<DocumentFragment> fragment, PassRef
 
 void Editor::replaceSelectionWithFragment(PassRefPtr<DocumentFragment> fragment, bool selectReplacement, bool smartReplace, bool matchStyle)
 {
-    if (m_frame->selection()->isNone() || !fragment)
+    if (m_frame->selection()->isNone() || !m_frame->selection()->isContentEditable() || !fragment)
         return;
 
     ReplaceSelectionCommand::CommandOptions options = ReplaceSelectionCommand::PreventNesting | ReplaceSelectionCommand::SanitizeFragment;
index 3570457..2d1fbed 100644 (file)
@@ -817,6 +817,9 @@ void ReplaceSelectionCommand::doApply()
     if (!selection.isNonOrphanedCaretOrRange() || !selection.start().deprecatedNode())
         return;
 
+    if (!selection.rootEditableElement())
+        return;
+
     ReplacementFragment fragment(document(), m_documentFragment.get(), m_matchStyle, selection);
     if (performTrivialReplace(fragment))
         return;