Changeset 209957 in webkit


Ignore:
Timestamp:
Dec 16, 2016 8:04:08 PM (7 years ago)
Author:
rniwa@webkit.org
Message:

Deleting a character converted from pinyin after an image causes a Safari crash
https://bugs.webkit.org/show_bug.cgi?id=165839
Source/WebKit2:

Reviewed by Darin Adler.

The crash was caused by the payload of the IPC not being decoded correctly when the encoded attributed string
contains a NSTextAttachment but send<> would still gladly send it to the UIProcess.

Fixed it by omitting the image as done in r176412 since encoding NSFileWrapper, etc... would require
quite a bit of work, and IME doesn't really need to see the image in its attributed string.

  • WebProcess/WebPage/mac/WebPageMac.mm:

(WebKit::WebPage::attributedSubstringForCharacterRangeAsync): Fixed the bug.

Tools:

<rdar://problem/27951933>

Reviewed by Wenson Hsieh.

Add a WebKit API test to call attributedSubstringForProposedRange on a WKWebView
while the proposed range contains an image. This should not cause a WebProcess to crash
or send an invalid message to the UIProcess.

  • TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
  • TestWebKitAPI/Tests/WebKit2/chinese-character-with-image.html: Added.
  • TestWebKitAPI/Tests/WebKit2/mac/AttributedSubstringForProposedRangeWithImage.mm: Added.

(TestWebKitAPI::didFinishLoadForFrame):
(TestWebKitAPI::processDidCrash):
(TestWebKitAPI::invalidMessageFunction):
(TestWebKitAPI::WebKit2.AttributedSubstringForProposedRangeWithImage):

Location:
trunk
Files:
2 added
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebKit2/ChangeLog

    r209943 r209957  
     12016-12-16  Ryosuke Niwa  <rniwa@webkit.org>
     2
     3        Deleting a character converted from pinyin after an image causes a Safari crash
     4        https://bugs.webkit.org/show_bug.cgi?id=165839
     5
     6        Reviewed by Darin Adler.
     7
     8        The crash was caused by the payload of the IPC not being decoded correctly when the encoded attributed string
     9        contains a NSTextAttachment but send<> would still gladly send it to the UIProcess.
     10
     11        Fixed it by omitting the image as done in r176412 since encoding NSFileWrapper, etc... would require
     12        quite a bit of work, and IME doesn't really need to see the image in its attributed string.
     13
     14        * WebProcess/WebPage/mac/WebPageMac.mm:
     15        (WebKit::WebPage::attributedSubstringForCharacterRangeAsync): Fixed the bug.
     16
    1172016-12-16  Andy Estes  <aestes@apple.com>
    218
  • trunk/Source/WebKit2/WebProcess/WebPage/mac/WebPageMac.mm

    r208841 r209957  
    363363    }
    364364
    365     result.string = editingAttributedStringFromRange(*range);
     365    result.string = editingAttributedStringFromRange(*range, IncludeImagesInAttributedString::No);
    366366    NSAttributedString* attributedString = result.string.get();
    367367   
  • trunk/Tools/ChangeLog

    r209931 r209957  
     12016-12-16  Ryosuke Niwa  <rniwa@webkit.org>
     2
     3        Deleting a character converted from pinyin after an image causes a Safari crash
     4        https://bugs.webkit.org/show_bug.cgi?id=165839
     5        <rdar://problem/27951933>
     6
     7        Reviewed by Wenson Hsieh.
     8
     9        Add a WebKit API test to call attributedSubstringForProposedRange on a WKWebView
     10        while the proposed range contains an image. This should not cause a WebProcess to crash
     11        or send an invalid message to the UIProcess.
     12
     13        * TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
     14        * TestWebKitAPI/Tests/WebKit2/chinese-character-with-image.html: Added.
     15        * TestWebKitAPI/Tests/WebKit2/mac/AttributedSubstringForProposedRangeWithImage.mm: Added.
     16        (TestWebKitAPI::didFinishLoadForFrame):
     17        (TestWebKitAPI::processDidCrash):
     18        (TestWebKitAPI::invalidMessageFunction):
     19        (TestWebKitAPI::WebKit2.AttributedSubstringForProposedRangeWithImage):
     20
    1212016-12-16  Wenson Hsieh  <wenson_hsieh@apple.com>
    222
  • trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj

    r209824 r209957  
    450450                9B270FEE1DDC2C0B002D53F3 /* closed-shadow-tree-test.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 9B270FED1DDC25FD002D53F3 /* closed-shadow-tree-test.html */; };
    451451                9B4F8FA7159D52DD002D9F94 /* HTMLCollectionNamedItem.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 9B4F8FA6159D52CA002D9F94 /* HTMLCollectionNamedItem.html */; };
     452                9BD4239A1E04BD9800200395 /* AttributedSubstringForProposedRangeWithImage.mm in Sources */ = {isa = PBXBuildFile; fileRef = 9BD423991E04BD9800200395 /* AttributedSubstringForProposedRangeWithImage.mm */; };
     453                9BD4239C1E04C01C00200395 /* chinese-character-with-image.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 9BD4239B1E04BFD000200395 /* chinese-character-with-image.html */; };
    452454                9C64DC321D76198A004B598E /* YouTubePluginReplacement.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 9C64DC311D76198A004B598E /* YouTubePluginReplacement.cpp */; };
    453455                A1146A8D1D2D7115000FE710 /* ContentFiltering.mm in Sources */ = {isa = PBXBuildFile; fileRef = A1146A8A1D2D704F000FE710 /* ContentFiltering.mm */; };
     
    593595                        dstSubfolderSpec = 7;
    594596                        files = (
     597                                9BD4239C1E04C01C00200395 /* chinese-character-with-image.html in Copy Resources */,
    595598                                5110FCF91E01CD8A006F8D0B /* IndexUpgrade.blob in Copy Resources */,
    596599                                5110FCF61E01CD83006F8D0B /* IndexUpgrade.sqlite3 in Copy Resources */,
     
    11171120                9B4F8FA6159D52CA002D9F94 /* HTMLCollectionNamedItem.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = HTMLCollectionNamedItem.html; sourceTree = "<group>"; };
    11181121                9B79164F1BD89D0D00D50B8F /* FirstResponderScrollingPosition.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = FirstResponderScrollingPosition.mm; sourceTree = "<group>"; };
     1122                9BD423991E04BD9800200395 /* AttributedSubstringForProposedRangeWithImage.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = AttributedSubstringForProposedRangeWithImage.mm; sourceTree = "<group>"; };
     1123                9BD4239B1E04BFD000200395 /* chinese-character-with-image.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = "chinese-character-with-image.html"; sourceTree = "<group>"; };
    11191124                9C64DC311D76198A004B598E /* YouTubePluginReplacement.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = YouTubePluginReplacement.cpp; sourceTree = "<group>"; };
    11201125                A1146A8A1D2D704F000FE710 /* ContentFiltering.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = ContentFiltering.mm; sourceTree = "<group>"; };
     
    19081913                        isa = PBXGroup;
    19091914                        children = (
     1915                                9BD4239B1E04BFD000200395 /* chinese-character-with-image.html */,
    19101916                                07492B391DF8ADA400633DE1 /* enumerateMediaDevices.html */,
    19111917                                C045F9461385C2F800C0F3CD /* 18-characters.html */,
     
    21252131                        isa = PBXGroup;
    21262132                        children = (
     2133                                9BD423991E04BD9800200395 /* AttributedSubstringForProposedRangeWithImage.mm */,
    21272134                                8349D3C11DB96DDA004A9F65 /* ContextMenuDownload.mm */,
    21282135                                BCAA485714A044D40088FAC4 /* EditorCommands.mm */,
     
    26842691                        files = (
    26852692                                2E7765CD16C4D80A00BA2BB1 /* mainIOS.mm in Sources */,
     2693                                9BD4239A1E04BD9800200395 /* AttributedSubstringForProposedRangeWithImage.mm in Sources */,
    26862694                                7AD3FE8E1D76131200B169A4 /* TransformationMatrix.cpp in Sources */,
    26872695                                2E7765CF16C4D81100BA2BB1 /* mainMac.mm in Sources */,
Note: See TracChangeset for help on using the changeset viewer.