Don't use dangling reference in...

Don't use dangling reference in ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline This patch changes to avoid dangling reference in ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline(). In this function, we hold pointer to inlineStyle member in ElemendData from |node|. The |node| doesn't change in loop body unless it doesn't have a self-conflicting inline style, e.g. <b style="font-weight: normal">. In this case, we should update |inlineStyle| variable to new value from ElementData of newly created element. Note: Attached test case is failed only on ASAN build by heap-use-after-free. BUG=356517 TEST=LayoutTests/editing/execCommand/remove-redundant-styles-and-keep-style-span-inline-crashed.html Review URL: https://codereview.chromium.org/212323004 git-svn-id: svn://svn.chromium.org/blink/trunk@170133 bbb929c8-8fbe-4397-9dbb-9b2b20218538

Don't use dangling reference in...
Don't use dangling reference in ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline This patch changes to avoid dangling reference in ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline(). In this function, we hold pointer to inlineStyle member in ElemendData from |node|. The |node| doesn't change in loop body unless it doesn't have a self-conflicting inline style, e.g. <b style="font-weight: normal">. In this case, we should update |inlineStyle| variable to new value from ElementData of newly created element. Note: Attached test case is failed only on ASAN build by heap-use-after-free. BUG=356517 TEST=LayoutTests/editing/execCommand/remove-redundant-styles-and-keep-style-span-inline-crashed.html Review URL: https://codereview.chromium.org/212323004 git-svn-id: svn://svn.chromium.org/blink/trunk@170133 bbb929c8-8fbe-4397-9dbb-9b2b20218538
90334b80 · yosin@chromium.org · 277370c9 · 90334b80 · 90334b80 · 90334b80
Commit 90334b80 authored Mar 27, 2014 by yosin@chromium.org
3 changed files
--- a/third_party/WebKit/LayoutTests/editing/execCommand/remove-redundant-styles-and-keep-style-span-inline-crashed-expected.txt
+++ b/third_party/WebKit/LayoutTests/editing/execCommand/remove-redundant-styles-and-keep-style-span-inline-crashed-expected.txt
+PASS if Blink doesn't crash.
--- a/third_party/WebKit/LayoutTests/editing/execCommand/remove-redundant-styles-and-keep-style-span-inline-crashed.html
+++ b/third_party/WebKit/LayoutTests/editing/execCommand/remove-redundant-styles-and-keep-style-span-inline-crashed.html
+<!DOCTYPE html>
+<head>
+<style>
+* {
+    border-image-source: url(foo);
+    background-position-x: 2147483470%;
+    font-style: normal;
+}
+</style>
+</head>
+<body>
+<i>PASS if Blink doesn't crash.</i>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+document.designMode = 'on';
+document.execCommand('SelectAll');
+document.execCommand('Cut');
+document.execCommand('Paste');
+</script>
+</body>
--- a/third_party/WebKit/Source/core/editing/ReplaceSelectionCommand.cpp
+++ b/third_party/WebKit/Source/core/editing/ReplaceSelectionCommand.cpp
@@ -484,6 +484,7 @@ void ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline(Insert
                    // e.g. <b style="font-weight: normal;"> is converted to <span style="font-weight: normal;">
                    node = replaceElementWithSpanPreservingChildrenAndAttributes(htmlElement);
                    element = toElement(node);
+                    inlineStyle = element->inlineStyle();
                    insertedNodes.didReplaceNode(*htmlElement, *node);
                } else if (newInlineStyle->extractConflictingImplicitStyleOfAttributes(htmlElement, EditingStyle::PreserveWritingDirection, 0, attributes,
                    EditingStyle::DoNotExtractMatchingStyle)) {