Changeset 238375 in webkit

Timestamp:

Nov 19, 2018 8:31:22 AM (5 years ago)

Author:

Wenson Hsieh

Message:

Dragging image with a border-image larger than the image element crashes
​https://bugs.webkit.org/show_bug.cgi?id=191817
<rdar://problem/46159222>

Reviewed by Ryosuke Niwa.

Source/WebCore:

When dragging an image element, if the image element has:

(1) box-sizing: border-box;
(2) a border-image
(3) a border-top-width that is at least as large as the height of the element and/or a border-left-width that is

at least as large as the width of the element

...then upon drag, we will fail to create a suitable drag image using the bounding box of the image element
since the size is empty, thereby causing a crash. To fix this, we bail out of this bounding-rect-dependent
codepath for generating a drag image in the case where the bounding rect is empty, and instead fall back to an
icon representation for the drag image.

Test: fast/events/drag-image-with-border-image.html

• page/DragController.cpp:

(WebCore::DragController::doImageDrag):

LayoutTests:

Verifies that an image that meets the pathological criteria described in Source/WebCore/ChangeLog can still be
dragged and dropped into an editable area.

• fast/events/drag-image-with-border-image.html: Added.
• platform/gtk/TestExpectations:
• platform/ios/TestExpectations:
• platform/mac-wk2/TestExpectations:
• platform/wpe/TestExpectations:

Enable this test only in WebKit1.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/events/drag-image-with-border-image-expected.txt (added)
• LayoutTests/fast/events/drag-image-with-border-image.html (added)
• LayoutTests/platform/gtk/TestExpectations (modified) (1 diff)
• LayoutTests/platform/ios/TestExpectations (modified) (1 diff)
• LayoutTests/platform/mac-wk2/TestExpectations (modified) (1 diff)
• LayoutTests/platform/wpe/TestExpectations (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/DragController.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2018-11-19  Wenson Hsieh  <wenson_hsieh@apple.com>
+
+        Dragging image with a border-image larger than the image element crashes
+        https://bugs.webkit.org/show_bug.cgi?id=191817
+        <rdar://problem/46159222>
+
+        Reviewed by Ryosuke Niwa.
+
+        Verifies that an image that meets the pathological criteria described in Source/WebCore/ChangeLog can still be
+        dragged and dropped into an editable area.
+
+        * fast/events/drag-image-with-border-image.html: Added.
+        * platform/gtk/TestExpectations:
+        * platform/ios/TestExpectations:
+        * platform/mac-wk2/TestExpectations:
+        * platform/wpe/TestExpectations:
+
+        Enable this test only in WebKit1.
+
 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
 

trunk/LayoutTests/platform/gtk/TestExpectations

@@ -2502 +2502 @@
 webkit.org/b/42194 fast/events/drag-and-drop-link.html [ Failure ]
 webkit.org/b/157179 fast/events/drag-and-drop-link-into-focused-contenteditable.html [ Failure ]
+webkit.org/b/157179 fast/events/drag-image-with-border-image.html [ Failure ]
 webkit.org/b/157179 fast/events/draggable-div-customdata.html [ Failure ]
 webkit.org/b/157179 fast/events/draggable-div-nodata.html [ Failure ]

trunk/LayoutTests/platform/ios/TestExpectations

@@ -282 +282 @@
 fast/events/drag-file-crash.html [ Skip ]
 fast/events/drag-image-filename.html [ Skip ]
+fast/events/drag-image-with-border-image.html [ Skip ]
 fast/events/drag-in-frames.html [ Skip ]
 fast/events/drag-and-drop-link.html [ Skip ]

trunk/LayoutTests/platform/mac-wk2/TestExpectations

@@ -130 +130 @@
 fast/events/drag-and-drop-link-fast-multiple-times-does-not-crash.html
 fast/events/drag-and-drop-link-containing-block.html
+fast/events/drag-image-with-border-image.html
 fast/events/drag-in-frames.html
 fast/events/drag-parent-node.html

trunk/LayoutTests/platform/wpe/TestExpectations

@@ -159 +159 @@
 fast/events/drag-display-none-element.html [ Skip ]
 fast/events/drag-image-filename.html [ Skip ]
+fast/events/drag-image-with-border-image.html [ Skip ]
 fast/events/drag-in-frames.html [ Skip ]
 fast/events/drag-outside-window.html [ Skip ]

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2018-11-19  Wenson Hsieh  <wenson_hsieh@apple.com>
+
+        Dragging image with a border-image larger than the image element crashes
+        https://bugs.webkit.org/show_bug.cgi?id=191817
+        <rdar://problem/46159222>
+
+        Reviewed by Ryosuke Niwa.
+
+        When dragging an image element, if the image element has:
+
+        (1) box-sizing: border-box;
+        (2) a border-image
+        (3) a border-top-width that is at least as large as the height of the element and/or a border-left-width that is
+            at least as large as the width of the element
+
+        ...then upon drag, we will fail to create a suitable drag image using the bounding box of the image element
+        since the size is empty, thereby causing a crash. To fix this, we bail out of this bounding-rect-dependent
+        codepath for generating a drag image in the case where the bounding rect is empty, and instead fall back to an
+        icon representation for the drag image.
+
+        Test: fast/events/drag-image-with-border-image.html
+
+        * page/DragController.cpp:
+        (WebCore::DragController::doImageDrag):
+
 2018-11-18  Zan Dobersek  <zdobersek@igalia.com>
 

trunk/Source/WebCore/page/DragController.cpp

@@ -1205 +1205 @@
 
     Image* image = getImage(element);
-    if (image && shouldUseCachedImageForDragImage(*image) && (dragImage = DragImage { createDragImageFromImage(image, element.renderer() ? orientationDescription : ImageOrientationDescription()) })) {
+    if (image && !layoutRect.isEmpty() && shouldUseCachedImageForDragImage(*image) && (dragImage = DragImage { createDragImageFromImage(image, element.renderer() ? orientationDescription : ImageOrientationDescription()) })) {
         dragImage = DragImage { fitDragImageToMaxSize(dragImage.get(), layoutRect.size(), maxDragImageSize()) };
         IntSize fittedSize = dragImageSize(dragImage.get());