[Webkit-unassigned] [Bug 226398] Crash in HTMLConverter::_addLinkForElement()

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=226398

--- Comment #4 from Ryosuke Niwa <rniwa at webkit.org> ---
Comment on attachment 430058
  --> https://bugs.webkit.org/attachment.cgi?id=430058
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=430058&action=review

>>> Source/WebCore/editing/cocoa/HTMLConverter.mm:2219
>>> +                if (startIndex <= [_attrStr length])
>> 
>> It seems that we don't even want to call _processElement when this condition isn't met?
> 
> When the call to _processElement happens, startIndex is within the bounds of [_attrStr length]. The operations inside the else block right above here cause this condition to be violated (this code assuming that [_attrStr length] does not change is the bug).

I see. In that case, I think we just need to adjust startIndex instead of avoid calling _exitElement.

> LayoutTests/editing/pasteboard/cut-paste-mouse-event.html:9
> +function styleonload() {

Can we call this runTest or something?

> LayoutTests/editing/pasteboard/cut-paste-mouse-event.html:12
> +    document.createEvent("MouseEvent").initMouseEvent("1", document.execCommand("paste", false), 0, null, 0, document.execCommand("cut", false));

Surely creating MouseEvent is nothing to do with this crash?
As far as I just tested, this should work:
document.execCommand("selectAll", false);
document.execCommand("createLink", false, "test");
document.execCommand("cut", false);

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210602/9437d035/attachment-0001.htm>