Fix for clusterfuzz crash while insertText is executed

While executing insertTextCommand with text having
paragraph seperator, on a unusual selection content
which has a nested anchor element within same block,
this crash happens.
While insertion of the paragraph seperator,
the |PositionAvoidingSpecialElementBoundary| algorithm
inserts new A element which was making the already
calculated start block parent 'null' making content
to crash.
The crash is avoided by doing safety checks.

Bug: 792548
Change-Id: Ica9e38857edac95a7151fda993ae5ef6e7b17ca3
Reviewed-on: https://chromium-review.googlesource.com/822550Reviewed-by: Xiaocheng Hu <xiaochengh@chromium.org>
Commit-Queue: Tanvir Rizvi <tanvir.rizvi@samsung.com>
Cr-Commit-Position: refs/heads/master@{#524656}

third_party/WebKit/Source/core/editing/commands/InsertParagraphSeparatorCommand.cpp

@@ -243,6 +243,8 @@ void InsertParagraphSeparatorCommand::DoApply(EditingState* editing_state) {
       PositionAvoidingSpecialElementBoundary(insertion_position, editing_state);
   if (editing_state->IsAborted())
     return;
+  // InsertTextCommandTest.AnchorElementWithBlockCrash reaches here.
+  ABORT_EDITING_COMMAND_IF(!start_block->parentNode());
   if (list_child == enclosing_anchor) {
     // |positionAvoidingSpecialElementBoundary()| creates new A element and
     // move to another place.

third_party/WebKit/Source/core/editing/commands/InsertTextCommandTest.cpp

@@ -242,4 +242,41 @@ TEST_F(InsertTextCommandTest, CheckTabSpanElementNoCrash) {
                                         Selection().GetSelectionInDOMTree()));
 }
 
+// http://crbug.com/792548
+TEST_F(InsertTextCommandTest, AnchorElementWithBlockCrash) {
+  GetDocument().setDesignMode("on");
+  SetBodyContent("<a href=\"www\" style=\"display:block\">");
+  // We need the below DOM with selection.
+  // <a href=\"www\" style=\"display:block\">
+  //   <a href=\"www\" style=\"display: inline !important;\">
+  //   <i>^home|</i>
+  //   </a>
+  // </a>
+  // Since the HTML parser rejects it as there are nested <a> elements.
+  // We are contructing the remaining DOM manually.
+  Element* const anchor = GetDocument().QuerySelector("a");
+  Element* nested_anchor = GetDocument().createElement("a");
+  Element* iElement = GetDocument().createElement("i");
+
+  nested_anchor->setAttribute("href", "www");
+  iElement->SetInnerHTMLFromString("home");
+
+  anchor->AppendChild(nested_anchor);
+  nested_anchor->AppendChild(iElement);
+
+  Node* const iElement_text_node = iElement->firstChild();
+  Selection().SetSelection(
+      SelectionInDOMTree::Builder()
+          .SetBaseAndExtent(Position(iElement_text_node, 0),
+                            Position(iElement_text_node, 4))
+          .Build());
+  // Crash happens here with when '\n' is inserted.
+  GetDocument().execCommand("inserttext", false, "a\n", ASSERT_NO_EXCEPTION);
+  EXPECT_EQ(
+      "<i style=\"display: block;\">"
+      "<a href=\"www\" style=\"display: block;\">a</a>"
+      "</i>|",
+      GetSelectionTextFromBody(Selection().GetSelectionInDOMTree()));
+}
+
 }  // namespace blink