Changeset 277174 in webkit


Ignore:
Timestamp:
May 7, 2021, 8:23:51 AM (4 years ago)
Author:
commit-queue@webkit.org
Message:

Crash in ApplyStyleCommand::applyRelativeFontStyleChange
https://bugs.webkit.org/show_bug.cgi?id=225235

Patch by Frédéric Wang <fwang@igalia.com> on 2021-05-07
Reviewed by Ryosuke Niwa.

Source/WebCore:

Test: editing/execCommand/font-size-delta-same-node-for-start-and-end-crash.html

In ApplyStyleCommand::applyRelativeFontStyleChange, when the selection start and end have the
same anchor node, the start node of the loop is obtained by calling Position::upstream on the
selection start while end node of the loop is obtained by calling NodeTraversal::next on the
anchor node. This can result in the former being after the latter. This patch fixes this by
moving the end of the loop after the anchor node (similar to what is already done when the
start anchor node is a strict descendant of the end anchor node).

  • editing/ApplyStyleCommand.cpp:

(WebCore::ApplyStyleCommand::applyRelativeFontStyleChange): Also include the case where
end.deprecatedNode() == start.deprecatedNode() in the conditional.

LayoutTests:

Add regression test.

  • editing/execCommand/font-size-delta-same-node-for-start-and-end-crash-expected.txt: Added.
  • editing/execCommand/font-size-delta-same-node-for-start-and-end-crash.html: Added.
  • platform/ios/editing/execCommand/font-size-delta-same-node-for-start-and-end-crash-expected.txt: Added.
Location:
trunk
Files:
3 added
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r277173 r277174  
     12021-05-07  Frédéric Wang  <fwang@igalia.com>
     2
     3        Crash in ApplyStyleCommand::applyRelativeFontStyleChange
     4        https://bugs.webkit.org/show_bug.cgi?id=225235
     5
     6        Reviewed by Ryosuke Niwa.
     7
     8        Add regression test.
     9
     10        * editing/execCommand/font-size-delta-same-node-for-start-and-end-crash-expected.txt: Added.
     11        * editing/execCommand/font-size-delta-same-node-for-start-and-end-crash.html: Added.
     12        * platform/ios/editing/execCommand/font-size-delta-same-node-for-start-and-end-crash-expected.txt: Added.
     13
    1142021-05-07  Philippe Normand  <pnormand@igalia.com>
    215

  • trunk/Source/WebCore/ChangeLog

    r277172 r277174  
     12021-05-07  Frédéric Wang  <fwang@igalia.com>
     2
     3        Crash in ApplyStyleCommand::applyRelativeFontStyleChange
     4        https://bugs.webkit.org/show_bug.cgi?id=225235
     5
     6        Reviewed by Ryosuke Niwa.
     7
     8        Test: editing/execCommand/font-size-delta-same-node-for-start-and-end-crash.html
     9
     10        In ApplyStyleCommand::applyRelativeFontStyleChange, when the selection start and end have the
     11        same anchor node, the start node of the loop is obtained by calling Position::upstream on the
     12        selection start while end node of the loop is obtained by calling NodeTraversal::next on the
     13        anchor node. This can result in the former being after the latter. This patch fixes this by
     14        moving the end of the loop after the anchor node (similar to what is already done when the
     15        start anchor node is a strict descendant of the end anchor node).
     16
     17        * editing/ApplyStyleCommand.cpp:
     18        (WebCore::ApplyStyleCommand::applyRelativeFontStyleChange): Also include the case where
     19        end.deprecatedNode() == start.deprecatedNode() in the conditional.
     20
    1212021-05-07  Carlos Garnacho  <carlosg@gnome.org>
    222

  • trunk/Source/WebCore/editing/ApplyStyleCommand.cpp

    r276133 r277174  
    349349    ASSERT(start.deprecatedNode());
    350350    ASSERT(end.deprecatedNode());
    351     if (start.deprecatedNode()->isDescendantOf(*end.deprecatedNode()))
     351    if (end.deprecatedNode()->contains(*start.deprecatedNode()))
    352352        beyondEnd = NodeTraversal::nextSkippingChildren(*end.deprecatedNode());
    353353    else
Note: See TracChangeset for help on using the changeset viewer.