[Webkit-unassigned] [Bug 54395] New: NULL ptr in IndentOutdentCommand::tryIndentingAsListItem
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Feb 14 08:57:07 PST 2011
https://bugs.webkit.org/show_bug.cgi?id=54395
Summary: NULL ptr in
IndentOutdentCommand::tryIndentingAsListItem
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Windows Vista
Status: NEW
Severity: Normal
Priority: P1
Component: HTML Editing
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: skylined at chromium.org
CC: rniwa at webkit.org
Created an attachment (id=82321)
--> (https://bugs.webkit.org/attachment.cgi?id=82321&action=review)
Repro
Chromium bug: http://code.google.com/p/chromium/issues/detail?id=72928
There is a NULL ptr deref problem in IndentOutdentCommand::tryIndentingAsListItem:
--- snip ---
http://codesearch.google.com/codesearch/p?hl=en#OAMlx_jo-ck/src/third_party/WebKit/Source/WebCore/editing/IndentOutdentCommand.cpp&q=IndentOutdentCommand::tryIndentingAsListItem&exact_package=chromium&sa=N&cd=1&ct=rc
bool IndentOutdentCommand::tryIndentingAsListItem(const Position& start, const Position& end)
{
// If our selection is not inside a list, bail out.
Node* lastNodeInSelectedParagraph = start.node();
RefPtr<Element> listNode = enclosingList(lastNodeInSelectedParagraph);
if (!listNode)
return false;
// Find the block that we want to indent. If it's not a list item (e.g., a div inside a list item), we bail out.
Element* selectedListItem = static_cast<Element*>(enclosingBlock(lastNodeInSelectedParagraph));
// FIXME: we need to deal with the case where there is no li (malformed HTML)
if (!selectedListItem->hasTagName(liTag))
return false;
--- snip ---
Calling "selectedListItem->hasTagName" without checking if "selectedListItem" is
NULL can be a problem if "enclosingBlock" can return NULL:
--- snip ---
http://codesearch.google.com/codesearch/p?hl=en#OAMlx_jo-ck/src/third_party/WebKit/Source/WebCore/editing/htmlediting.cpp&q=enclosingBlock&exact_package=chromium&sa=N&cd=1&ct=rc&l=330
Node* enclosingBlock(Node* node)
{
return static_cast<Element*>(enclosingNodeOfType(firstPositionInOrBeforeNode(node), isBlock));
}
--- snip ---
http://codesearch.google.com/codesearch/p?hl=en#OAMlx_jo-ck/src/third_party/WebKit/Source/WebCore/editing/htmlediting.cpp&q=enclosingNodeOfType&exact_package=chromium&sa=N&cd=1&ct=rc&l=606
Node* enclosingNodeOfType(const Position& p, bool (*nodeIsOfType)(const Node*), bool onlyReturnEditableNodes)
{
if (p.isNull())
return 0;
Node* root = highestEditableRoot(p);
for (Node* n = p.node(); n; n = n->parentNode()) {
// Don't return a non-editable node if the input position was editable, since
// the callers from editing will no doubt want to perform editing inside the returned node.
if (root && !n->isContentEditable() && onlyReturnEditableNodes)
continue;
if ((*nodeIsOfType)(n))
return n;
if (n == root)
return 0;
}
return 0;
}
--- snip ---
Obviously, there are multiple places where this function can return NULL.
Attached repro hits the below ASSERT twice before triggering the above NULL ptr.
--- snip ---
http://codesearch.google.com/codesearch/p?hl=en#OAMlx_jo-ck/src/third_party/WebKit/Source/WebCore/editing/markup.cpp&q=%22ASSERT(propertyMissingOrEqualToNone(style,%20CSSPropertyTextDecoration)%20&&%20propertyMissingOrEqualToNone(style,%20CSSPropertyWebkitTextDecorationsInEffect))%3B%22&exact_package=chromium&sa=N&cd=1&ct=rc&l=163
void StyledMarkupAccumulator::wrapWithStyleNode(CSSStyleDeclaration* style, Document* document, bool isBlock)
{
// All text-decoration-related elements should have been treated as special ancestors
// If we ever hit this ASSERT, we should export StyleChange in ApplyStyleCommand and use it here
ASSERT(propertyMissingOrEqualToNone(style, CSSPropertyTextDecoration) && propertyMissingOrEqualToNone(style, CSSPropertyWebkitTextDecorationsInEffect));
--- snip ---
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list