Fix clipboard markup sanitizer crash when we fail to create a fragment

CreateFragmentFromMarkupWithContext() may fail to create a fragment from
some markup.

crrev.com/c/1922919 incorrectly removes the handling of this case and
results in a regression. This patch adds back the handling.

Bug: 1032673
Change-Id: If02997859f3ccc074df3da1d91e974b2dc4794ef
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1963107Reviewed-by: Kent Tamura <tkent@chromium.org>
Commit-Queue: Xiaocheng Hu <xiaochengh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#724056}

third_party/blink/renderer/core/editing/BUILD.gn

@@ -414,6 +414,7 @@ jumbo_source_set("unit_tests") {
     "selection_controller_test.cc",
     "selection_modifier_test.cc",
     "selection_template_test.cc",
+    "serializers/serialization_test.cc",
     "serializers/styled_markup_serializer_test.cc",
     "set_selection_options_test.cc",
     "spellcheck/idle_spell_check_controller_test.cc",

third_party/blink/renderer/core/editing/serializers/serialization.cc

@@ -794,12 +794,17 @@ static Document* CreateStagingDocumentForMarkupSanitization() {
 String SanitizeMarkupWithContext(const String& raw_markup,
                                  unsigned fragment_start,
                                  unsigned fragment_end) {
+  if (raw_markup.IsEmpty())
+    return g_empty_string;
+
   Document* staging_document = CreateStagingDocumentForMarkupSanitization();
   Element* body = staging_document->body();
 
   DocumentFragment* fragment = CreateFragmentFromMarkupWithContext(
       *staging_document, raw_markup, fragment_start, fragment_end, KURL(),
       kDisallowScriptingAndPluginContent);
+  if (!fragment)
+    return g_empty_string;
 
   body->appendChild(fragment);
   staging_document->UpdateStyleAndLayout();

third_party/blink/renderer/core/editing/serializers/serialization.h

@@ -96,9 +96,9 @@ CreateMarkup(const PositionInFlatTree& start,
              const PositionInFlatTree& end,
              const CreateMarkupOptions& options = CreateMarkupOptions());
 
-String SanitizeMarkupWithContext(const String& raw_markup,
-                                 unsigned fragment_start,
-                                 unsigned fragment_end);
+CORE_EXPORT String SanitizeMarkupWithContext(const String& raw_markup,
+                                             unsigned fragment_start,
+                                             unsigned fragment_end);
 
 void MergeWithNextTextNode(Text*, ExceptionState&);
 

third_party/blink/renderer/core/editing/serializers/serialization_test.cc

+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "third_party/blink/renderer/core/editing/serializers/serialization.h"
+
+#include <gtest/gtest.h>
+
+namespace blink {
+namespace {
+
+// Regression test for https://crbug.com/1032673
+TEST(SerializationTest, CantCreateFragmentCrash) {
+  // CreateFragmentFromMarkupWithContext() fails to create a fragment for the
+  // following markup. Should return an empty string as the sanitized markup
+  // instead of crashing.
+  const String html =
+      "<article><dcell></dcell>A<td><dcol></"
+      "dcol>A0<td>&percnt;&lbrack;<command></"
+      "command><img>0AA00A0AAAAAAA00A<optgroup>&NotLess;&Eacute;&andand;&"
+      "Uarrocir;&jfr;&esim;&Alpha;&angmsdab;&ogt;&lesseqqgtr;&vBar;&plankv;&"
+      "curlywedge;&lcedil;&Mfr;&Barwed;&rlm;<kbd><animateColor></"
+      "animateColor>A000AA0AA000A0<plaintext></"
+      "plaintext><title>0A0AA00A0A0AA000A<switch><img "
+      "src=\"../resources/abe.png\"> zz";
+  const String sanitized = SanitizeMarkupWithContext(html, 0, html.length());
+  EXPECT_TRUE(sanitized.IsEmpty());
+}
+
+}  // namespace
+}  // namespace blink