RESOLVED INVALID 43354
Potential Null Crasher in ReplaceSelectionCommand 
https://bugs.webkit.org/show_bug.cgi?id=43354
Summary Potential Null Crasher in ReplaceSelectionCommand
Eric Seidel (no email)
Reported 2010-08-02 08:46:58 PDT
http://trac.webkit.org/browser/trunk/WebCore/editing/ReplaceSelectionCommand.cpp#L935 935 if ((isListElement(refNode.get()) || (isStyleSpan(refNode.get()) && isListElement(refNode->firstChild()))) 936 && blockStart->renderer()->isListItem()) 937 refNode = insertAsListItems(refNode, blockStart, insertionPos); I suspect that unguarded renderer()-> call could crash. Nodes don't have to have renderers.
Attachments
Add attachment proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1 2010-08-02 08:47:12 PDT
I'm about to change that line of code a little.
Ryosuke Niwa
Comment 2 2010-08-02 09:10:59 PDT
+tony since svn annotate indicates he has edited that part of code in two changesets 54413 and 54931.
Tony Chang
Comment 3 2010-08-02 09:35:54 PDT
We should probably just use isListItem() from htmlediting.h, although I'm surprised that enclosingBlock() can return a node w/o a renderer. Maybe <html> is a block w/o a renderer?
Ryosuke Niwa
Comment 4 2012-05-25 00:06:40 PDT
Node* blockStart = enclosingBlock(insertionPos.deprecatedNode()); But bool isBlock(const Node* node) { return node && node->renderer() && !node->renderer()->isInline() && !node->renderer()->isRubyText(); } Element* enclosingBlock(Node* node, EditingBoundaryCrossingRule rule) { Node* enclosingNode = enclosingNodeOfType(firstPositionInOrBeforeNode(node), isBlock, rule); return enclosingNode && enclosingNode->isElementNode() ? toElement(enclosingNode) : 0; } So this can never cause a crash.
Note You need to log in before you can comment on or make changes to this bug.