Add editability check in indent command.

When selection positions span across contexts with different
editability regions, the block formatting command tries to split the
nodes and perform indenting by copying over content to start position
from where the end position is. This leads to a crash while verifying
node split output in |RangeForParagraphSplittingTextNodesIfNeeded|.
Fix is to check whether the start and end positions are inside the
same editable region or not and if they don't share the same editable
context, then just bail out.

Bug: 996134

Change-Id: I298ae6c8b0c631620266e3f201c0f3c8849d3300
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2582866
Commit-Queue: Koji Ishii <kojii@chromium.org>
Reviewed-by: Koji Ishii <kojii@chromium.org>
Cr-Commit-Position: refs/heads/master@{#835519}

third_party/blink/renderer/core/editing/commands/apply_block_element_command.cc

@@ -103,6 +103,21 @@ void ApplyBlockElementCommand::DoApply(EditingState* editing_state) {
   ContainerNode* end_scope = nullptr;
   int end_index = IndexForVisiblePosition(end_of_selection, end_scope);
 
+  // Due to visible position canonicalization, start and end positions could
+  // move to different selection contexts one of which could be inside an
+  // element that is not editable. e.g. <pre contenteditable>
+  //   hello^
+  // <svg viewBox="0 0 200 200" xmlns="http://www.w3.org/2000/svg">
+  // <foreignObject x="20" y="20" width="80" height="80">
+  //  L|orem
+  // </foreignObject>
+  // </svg>
+  // </pre>
+  if (!IsEditablePosition(start_of_selection.DeepEquivalent()) ||
+      !IsEditablePosition(end_of_selection.DeepEquivalent())) {
+    return;
+  }
+
   FormatSelection(start_of_selection, end_of_selection, editing_state);
   if (editing_state->IsAborted())
     return;

third_party/blink/web_tests/editing/execCommand/indent/indent_blockquote_with_inline_nested_paragraphs.html

@@ -132,4 +132,30 @@ selection_test(
     ],
     'Indent content enclosed inside inline separated by br and textarea element wrapped inside inline');
 
+// The below test is from a clusterfuzz test and the expected result is not accurate, but it avoids the crash.
+// Perhaps we should modify/rewrite the indent command to properly handle this weird selection cases.
+selection_test(
+    [
+        '<pre contenteditable>',
+            '^hello',
+            '<svg viewBox="0 0 200 200" xmlns="http://www.w3.org/2000/svg">',
+            '<foreignObject x="20" y="20" width="80" height="80">',
+            'Test|',
+            '</foreignObject>',
+            '</svg>',
+        '</pre>',
+    ],
+    'indent',
+    [
+    '<pre contenteditable>',
+            '<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">^hello',
+            '<svg viewBox="0 0 200 200" xmlns="http://www.w3.org/2000/svg">',
+            '<foreignobject height="80" width="80" x="20" y="20">Test|</foreignobject>',
+            '</svg>',
+            '<svg viewBox="0 0 200 200" xmlns="http://www.w3.org/2000/svg">',
+            '<foreignobject height="80" width="80" x="20" y="20">Test</foreignobject></svg></blockquote>',
+        '</pre>',
+    ],
+    'Indent content spanning across different selection contexts');
+
 </script>
\ No newline at end of file