Dragging image with a border-image larger than the image element crashes
authorwenson_hsieh@apple.com <wenson_hsieh@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 19 Nov 2018 16:31:22 +0000 (16:31 +0000)
committerwenson_hsieh@apple.com <wenson_hsieh@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 19 Nov 2018 16:31:22 +0000 (16:31 +0000)
https://bugs.webkit.org/show_bug.cgi?id=191817
<rdar://problem/46159222>

Reviewed by Ryosuke Niwa.

Source/WebCore:

When dragging an image element, if the image element has:

(1) box-sizing: border-box;
(2) a border-image
(3) a border-top-width that is at least as large as the height of the element and/or a border-left-width that is
    at least as large as the width of the element

...then upon drag, we will fail to create a suitable drag image using the bounding box of the image element
since the size is empty, thereby causing a crash. To fix this, we bail out of this bounding-rect-dependent
codepath for generating a drag image in the case where the bounding rect is empty, and instead fall back to an
icon representation for the drag image.

Test: fast/events/drag-image-with-border-image.html

* page/DragController.cpp:
(WebCore::DragController::doImageDrag):

LayoutTests:

Verifies that an image that meets the pathological criteria described in Source/WebCore/ChangeLog can still be
dragged and dropped into an editable area.

* fast/events/drag-image-with-border-image.html: Added.
* platform/gtk/TestExpectations:
* platform/ios/TestExpectations:
* platform/mac-wk2/TestExpectations:
* platform/wpe/TestExpectations:

Enable this test only in WebKit1.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@238375 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/events/drag-image-with-border-image-expected.txt [new file with mode: 0644]
LayoutTests/fast/events/drag-image-with-border-image.html [new file with mode: 0644]
LayoutTests/platform/gtk/TestExpectations
LayoutTests/platform/ios/TestExpectations
LayoutTests/platform/mac-wk2/TestExpectations
LayoutTests/platform/wpe/TestExpectations
Source/WebCore/ChangeLog
Source/WebCore/page/DragController.cpp

index 3f97477..467335b 100644 (file)
@@ -1,3 +1,22 @@
+2018-11-19  Wenson Hsieh  <wenson_hsieh@apple.com>
+
+        Dragging image with a border-image larger than the image element crashes
+        https://bugs.webkit.org/show_bug.cgi?id=191817
+        <rdar://problem/46159222>
+
+        Reviewed by Ryosuke Niwa.
+
+        Verifies that an image that meets the pathological criteria described in Source/WebCore/ChangeLog can still be
+        dragged and dropped into an editable area.
+
+        * fast/events/drag-image-with-border-image.html: Added.
+        * platform/gtk/TestExpectations:
+        * platform/ios/TestExpectations:
+        * platform/mac-wk2/TestExpectations:
+        * platform/wpe/TestExpectations:
+
+        Enable this test only in WebKit1.
+
 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
 
         Unreviewed, rolling in the rest of r237254
diff --git a/LayoutTests/fast/events/drag-image-with-border-image-expected.txt b/LayoutTests/fast/events/drag-image-with-border-image-expected.txt
new file mode 100644 (file)
index 0000000..0be58d0
--- /dev/null
@@ -0,0 +1,10 @@
+PASS receivedDropEvent is true
+PASS !!destination.querySelector("img") is true
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
+
+This test verifies that the web process does not crash when dragging an image element with a border image whose dimensions exceeds the dimensions of the image element itself. To manually test, try to drag the contents of the solid red box; the web process should not crash, and dropping into the green editable area should insert an image.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
diff --git a/LayoutTests/fast/events/drag-image-with-border-image.html b/LayoutTests/fast/events/drag-image-with-border-image.html
new file mode 100644 (file)
index 0000000..621946c
--- /dev/null
@@ -0,0 +1,55 @@
+<html>
+<head>
+<script src="../../resources/js-test.js"></script>
+<style>
+img {
+    border-image: url(./resources/abe.png);
+    border-top-width: 100px;
+    border-left-width: 100px;
+    box-sizing: border-box;
+}
+
+#container {
+    border: solid 1px red;
+}
+
+#destination {
+    border: dashed 1px green;
+}
+
+img, #destination, #container {
+    width: 100px;
+    height: 100px;
+}
+</style>
+</head>
+<body>
+<div id="container"><img src="resources/abe.png"></div>
+<div id="destination" contenteditable></div>
+<div id="description"></div>
+</body>
+<script>
+receivedDropEvent = false;
+destination.addEventListener("drop", () => receivedDropEvent = true);
+
+addEventListener("load", () => {
+    description("This test verifies that the web process does not crash when dragging an image element with a border"
+        + " image whose dimensions exceeds the dimensions of the image element itself. To manually test, try to drag the"
+        + " contents of the solid red box; the web process should not crash, and dropping into the green editable area"
+        + " should insert an image.");
+
+    if (!window.testRunner || !window.eventSender)
+        return;
+
+    testRunner.dumpAsText();
+    eventSender.mouseMoveTo(50, 50);
+    eventSender.mouseDown();
+    eventSender.leapForward(2000);
+    eventSender.mouseMoveTo(50, 150);
+    eventSender.mouseUp();
+
+    shouldBeTrue("receivedDropEvent");
+    shouldBeTrue(`!!destination.querySelector("img")`);
+});
+</script>
+</html>
index 4242df8..ab9c222 100644 (file)
@@ -2501,6 +2501,7 @@ webkit.org/b/157179 fast/events/drag-and-drop.html [ Failure Timeout ]
 webkit.org/b/157179 fast/events/drag-and-drop-subframe-dataTransfer.html [ Failure Timeout ]
 webkit.org/b/42194 fast/events/drag-and-drop-link.html [ Failure ]
 webkit.org/b/157179 fast/events/drag-and-drop-link-into-focused-contenteditable.html [ Failure ]
+webkit.org/b/157179 fast/events/drag-image-with-border-image.html [ Failure ]
 webkit.org/b/157179 fast/events/draggable-div-customdata.html [ Failure ]
 webkit.org/b/157179 fast/events/draggable-div-nodata.html [ Failure ]
 webkit.org/b/157179 fast/events/dropzone-001.html [ Failure Timeout ]
index b482009..28668e7 100644 (file)
@@ -281,6 +281,7 @@ fast/events/drag-dataTransferItemList.html [ Skip ]
 fast/events/drag-display-none-element.html [ Skip ]
 fast/events/drag-file-crash.html [ Skip ]
 fast/events/drag-image-filename.html [ Skip ]
+fast/events/drag-image-with-border-image.html [ Skip ]
 fast/events/drag-in-frames.html [ Skip ]
 fast/events/drag-and-drop-link.html [ Skip ]
 fast/events/drag-and-drop-link-into-focused-contenteditable.html [ Skip ]
index 4ec6ed7..9b2fbed 100644 (file)
@@ -129,6 +129,7 @@ fast/events/drag-and-drop.html
 fast/events/drag-and-drop-link.html
 fast/events/drag-and-drop-link-fast-multiple-times-does-not-crash.html
 fast/events/drag-and-drop-link-containing-block.html
+fast/events/drag-image-with-border-image.html
 fast/events/drag-in-frames.html
 fast/events/drag-parent-node.html
 fast/events/draggable-div-nodata.html
index 7d87f4f..c4fa0ed 100644 (file)
@@ -158,6 +158,7 @@ fast/events/drag-customData.html [ Skip ]
 fast/events/drag-dataTransferItemList-file-handling.html [ Skip ]
 fast/events/drag-display-none-element.html [ Skip ]
 fast/events/drag-image-filename.html [ Skip ]
+fast/events/drag-image-with-border-image.html [ Skip ]
 fast/events/drag-in-frames.html [ Skip ]
 fast/events/drag-outside-window.html [ Skip ]
 fast/events/drag-parent-node.html [ Skip ]
index 1c4c75c..553f22f 100644 (file)
@@ -1,3 +1,28 @@
+2018-11-19  Wenson Hsieh  <wenson_hsieh@apple.com>
+
+        Dragging image with a border-image larger than the image element crashes
+        https://bugs.webkit.org/show_bug.cgi?id=191817
+        <rdar://problem/46159222>
+
+        Reviewed by Ryosuke Niwa.
+
+        When dragging an image element, if the image element has:
+
+        (1) box-sizing: border-box;
+        (2) a border-image
+        (3) a border-top-width that is at least as large as the height of the element and/or a border-left-width that is
+            at least as large as the width of the element
+
+        ...then upon drag, we will fail to create a suitable drag image using the bounding box of the image element
+        since the size is empty, thereby causing a crash. To fix this, we bail out of this bounding-rect-dependent
+        codepath for generating a drag image in the case where the bounding rect is empty, and instead fall back to an
+        icon representation for the drag image.
+
+        Test: fast/events/drag-image-with-border-image.html
+
+        * page/DragController.cpp:
+        (WebCore::DragController::doImageDrag):
+
 2018-11-18  Zan Dobersek  <zdobersek@igalia.com>
 
         HarfBuzzFace::CacheEntry should use 32-bit values in its HashMap
index 1776530..02d4d54 100644 (file)
@@ -1204,7 +1204,7 @@ void DragController::doImageDrag(Element& element, const IntPoint& dragOrigin, c
     ImageOrientationDescription orientationDescription(element.renderer()->shouldRespectImageOrientation(), element.renderer()->style().imageOrientation());
 
     Image* image = getImage(element);
-    if (image && shouldUseCachedImageForDragImage(*image) && (dragImage = DragImage { createDragImageFromImage(image, element.renderer() ? orientationDescription : ImageOrientationDescription()) })) {
+    if (image && !layoutRect.isEmpty() && shouldUseCachedImageForDragImage(*image) && (dragImage = DragImage { createDragImageFromImage(image, element.renderer() ? orientationDescription : ImageOrientationDescription()) })) {
         dragImage = DragImage { fitDragImageToMaxSize(dragImage.get(), layoutRect.size(), maxDragImageSize()) };
         IntSize fittedSize = dragImageSize(dragImage.get());