Reviewed by Justin.
authoreric@webkit.org <eric@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 30 Jul 2008 23:13:57 +0000 (23:13 +0000)
committereric@webkit.org <eric@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 30 Jul 2008 23:13:57 +0000 (23:13 +0000)
        Crash Safari when dragging images into Google presentations
        https://bugs.webkit.org/show_bug.cgi?id=20161

        Test: manual-tests/remove-on-drop-crash.html

        * editing/ReplaceSelectionCommand.cpp:
        (WebCore::ReplaceSelectionCommand::doApply):
        * manual-tests/remove-on-drop-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@35465 268f45cc-cd09-0410-ab3c-d52691b4dbfc

WebCore/ChangeLog
WebCore/editing/ReplaceSelectionCommand.cpp
WebCore/manual-tests/remove-on-drop-crash.html [new file with mode: 0644]

index d157f1a5f2b21653186115ef38296887a89ff8ef..e573646ddbee05fe398f05cba12f230fbcc5298e 100644 (file)
@@ -1,3 +1,16 @@
+2008-07-25  Eric Seidel  <eric@webkit.org>
+
+        Reviewed by Justin.
+
+        Crash Safari when dragging images into Google presentations
+        https://bugs.webkit.org/show_bug.cgi?id=20161
+
+        Test: manual-tests/remove-on-drop-crash.html
+
+        * editing/ReplaceSelectionCommand.cpp:
+        (WebCore::ReplaceSelectionCommand::doApply):
+        * manual-tests/remove-on-drop-crash.html: Added.
+
 2008-07-30  Christian Dywan  <christian@twotoasts.de>
 
         Reviewed by Mark.
index e31905297d9dcd59a10b1f3e6c43e8074d7c6e3b..3a6d4b19e4cc797976720b805dde6d13a92fc102 100644 (file)
@@ -765,7 +765,8 @@ void ReplaceSelectionCommand::doApply()
     if (!handledStyleSpans)
         handleStyleSpans();
     
-    if (!m_firstNodeInserted)
+    // Mutation events (bug 20161) may have already removed the inserted content
+    if (!m_firstNodeInserted || !m_firstNodeInserted->inDocument())
         return;
     
     endOfInsertedContent = positionAtEndOfInsertedContent();
diff --git a/WebCore/manual-tests/remove-on-drop-crash.html b/WebCore/manual-tests/remove-on-drop-crash.html
new file mode 100644 (file)
index 0000000..c50adba
--- /dev/null
@@ -0,0 +1,10 @@
+<body>
+Load <a href="http://www.google.com/">Google</a> and drag the logo onto this page.  The second time you drag it on, Safari will crash.
+<script>
+function deleteSelection() {
+  document.execCommand("delete");
+}
+document.designMode="on";
+document.body.addEventListener("DOMNodeInserted", deleteSelection, false);
+</script>
+</body>