[ClusterFuzz] crash in replaceSelectionCommand

ReplaceSelectionCommand crashes if InsertHTML content have trailing non visible content. This happens as the nextAncesstorSibling comes as null This CL does the safety check to prevent the crash observed in this scenario. Bug: 781282 Change-Id: Ibb886956dafcdfaadac4dd2ee6b6c1ef70ad8340 Reviewed-on: https://chromium-review.googlesource.com/768550 Commit-Queue: Tanvir Rizvi <tanvir.rizvi@samsung.com> Reviewed-by: Xiaocheng Hu <xiaochengh@chromium.org> Reviewed-by: Yoshifumi Inoue <yosin@chromium.org> Cr-Commit-Position: refs/heads/master@{#517437}

[ClusterFuzz] crash in replaceSelectionCommand
ReplaceSelectionCommand crashes if InsertHTML content have trailing non visible content. This happens as the nextAncesstorSibling comes as null This CL does the safety check to prevent the crash observed in this scenario. Bug: 781282 Change-Id: Ibb886956dafcdfaadac4dd2ee6b6c1ef70ad8340 Reviewed-on: https://chromium-review.googlesource.com/768550 Commit-Queue: Tanvir Rizvi <tanvir.rizvi@samsung.com> Reviewed-by: Xiaocheng Hu <xiaochengh@chromium.org> Reviewed-by: Yoshifumi Inoue <yosin@chromium.org> Cr-Commit-Position: refs/heads/master@{#517437}
4306d818 · tanvir.rizvi · Commit Bot · db524979 · 4306d818 · 4306d818
Commit 4306d818 authored Nov 17, 2017 by tanvir.rizvi Committed by Commit Bot Nov 17, 2017
2 changed files
--- a/third_party/WebKit/Source/core/editing/commands/ReplaceSelectionCommand.cpp
+++ b/third_party/WebKit/Source/core/editing/commands/ReplaceSelectionCommand.cpp
@@ -1368,8 +1368,10 @@ void ReplaceSelectionCommand::DoApply(EditingState* editing_state) {
    node = next;
  }

-  if (IsRichlyEditablePosition(insertion_pos))
+  if (IsRichlyEditablePosition(insertion_pos)) {
    RemoveUnrenderedTextNodesAtEnds(inserted_nodes);
+    ABORT_EDITING_COMMAND_IF(!inserted_nodes.RefNode());
+  }

  GetDocument().UpdateStyleAndLayoutIgnorePendingStylesheets();

@@ -1411,11 +1413,13 @@ void ReplaceSelectionCommand::DoApply(EditingState* editing_state) {
        !(fragment.HasInterchangeNewlineAtEnd() && selection_is_plain_text)))) {
    ContainerNode* parent = end_br->parentNode();
    inserted_nodes.WillRemoveNode(*end_br);
+    ABORT_EDITING_COMMAND_IF(!inserted_nodes.RefNode());
    RemoveNode(end_br, editing_state);
    if (editing_state->IsAborted())
      return;
    if (Node* node_to_remove = HighestNodeToRemoveInPruning(parent)) {
      inserted_nodes.WillRemoveNode(*node_to_remove);
+      ABORT_EDITING_COMMAND_IF(!inserted_nodes.RefNode());
      RemoveNode(node_to_remove, editing_state);
      if (editing_state->IsAborted())
        return;

--- a/third_party/WebKit/Source/core/editing/commands/ReplaceSelectionCommandTest.cpp
+++ b/third_party/WebKit/Source/core/editing/commands/ReplaceSelectionCommandTest.cpp
@@ -154,4 +154,21 @@ TEST_F(ReplaceSelectionCommandTest, TextAutosizingDoesntInflateText) {
  EXPECT_EQ(1u, div->CountChildren());
 }

+// This is a regression test for https://crbug.com/781282
+TEST_F(ReplaceSelectionCommandTest, TrailingNonVisibleTextCrash) {
+  GetDocument().setDesignMode("on");
+  Selection().SetSelection(SetSelectionTextToBody("<div>^foo|</div>"));
+
+  DocumentFragment* fragment = GetDocument().createDocumentFragment();
+  fragment->ParseHTML("<div>bar</div> ", GetDocument().QuerySelector("div"));
+  ReplaceSelectionCommand::CommandOptions options = 0;
+  ReplaceSelectionCommand* command =
+      ReplaceSelectionCommand::Create(GetDocument(), fragment, options);
+
+  // Crash should not occur on applying ReplaceSelectionCommand
+  EXPECT_FALSE(command->Apply());
+  EXPECT_EQ("<div>bar</div>|<br>",
+            GetSelectionTextFromBody(Selection().GetSelectionInDOMTree()));
+}
+
 }  // namespace blink