[Clusterfuzz] crash in InsertParagraphSeperator

InsertParagraphSeperator gets DCHECK(IsEditablePosition)
when checking for leading white speace position.
This happens on a unusual HTML having,
webkit-appearance style applied.

Since the layoutBlock in this scenario has a
logical height because of appearance property,
and layout for table elements like colgroup is
LayoutBlockFlow, therefore the visuallyEquivalentAlgorithm
considers it as a EditablePosition,
and the command for InsertParagraph is executed.

Bug: 777378
Change-Id: I2abce4d09e2526f081cd810fc663aec61cfb24bf
Reviewed-on: https://chromium-review.googlesource.com/781331Reviewed-by: yosin (OOO Dec 11 to Jan 8) <yosin@chromium.org>
Reviewed-by: Yoichi Osato <yoichio@chromium.org>
Commit-Queue: Tanvir Rizvi <tanvir.rizvi@samsung.com>
Cr-Commit-Position: refs/heads/master@{#522023}

third_party/WebKit/Source/core/editing/BUILD.gn

@@ -345,6 +345,7 @@ jumbo_source_set("unit_tests") {
     "commands/EditingCommandTest.cpp",
     "commands/InsertIncrementalTextCommandTest.cpp",
     "commands/InsertListCommandTest.cpp",
+    "commands/InsertParagraphSeparatorCommandTest.cpp",
     "commands/InsertTextCommandTest.cpp",
     "commands/ReplaceSelectionCommandTest.cpp",
     "commands/SetCharacterDataCommandTest.cpp",

third_party/WebKit/Source/core/editing/commands/InsertParagraphSeparatorCommand.cpp

@@ -444,7 +444,8 @@ void InsertParagraphSeparatorCommand::DoApply(EditingState* editing_state) {
     visible_pos = CreateVisiblePosition(insertion_position);
     // If the insertion point is a break element, there is nothing else
     // we need to do.
-    if (visible_pos.DeepEquivalent().AnchorNode()->GetLayoutObject()->IsBR()) {
+    if (visible_pos.IsNotNull() &&
+        visible_pos.DeepEquivalent().AnchorNode()->GetLayoutObject()->IsBR()) {
       SetEndingSelection(SelectionForUndoStep::From(
           SelectionInDOMTree::Builder()
               .Collapse(insertion_position)
@@ -478,6 +479,7 @@ void InsertParagraphSeparatorCommand::DoApply(EditingState* editing_state) {
       insertion_position = MostBackwardCaretPosition(insertion_position);
   }
 
+  ABORT_EDITING_COMMAND_IF(!IsEditablePosition(insertion_position));
   // Make sure we do not cause a rendered space to become unrendered.
   // FIXME: We need the affinity for pos, but mostForwardCaretPosition does not
   // give it

third_party/WebKit/Source/core/editing/commands/InsertParagraphSeparatorCommand.h

@@ -32,7 +32,8 @@ namespace blink {
 
 class EditingStyle;
 
-class InsertParagraphSeparatorCommand final : public CompositeEditCommand {
+class CORE_EXPORT InsertParagraphSeparatorCommand final
+    : public CompositeEditCommand {
  public:
   static InsertParagraphSeparatorCommand* Create(
       Document& document,

third_party/WebKit/Source/core/editing/commands/InsertParagraphSeparatorCommandTest.cpp

+// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "core/editing/commands/InsertParagraphSeparatorCommand.h"
+
+#include "core/editing/FrameSelection.h"
+#include "core/editing/SelectionTemplate.h"
+#include "core/editing/testing/EditingTestBase.h"
+
+namespace blink {
+
+class InsertParagraphSeparatorCommandTest : public EditingTestBase {};
+
+// http://crbug.com/777378
+TEST_F(InsertParagraphSeparatorCommandTest,
+       CrashWithAppearanceStyleOnEmptyColgroup) {
+  Selection().SetSelection(SetSelectionTextToBody(
+      "<table contenteditable>"
+      "    <colgroup style='-webkit-appearance:radio;'><!--|--></colgroup>"
+      "</table>"));
+
+  InsertParagraphSeparatorCommand* command =
+      InsertParagraphSeparatorCommand::Create(GetDocument());
+  // Crash should not be observed here.
+  command->Apply();
+
+  EXPECT_EQ(
+      "<table contenteditable>"
+      "    <colgroup style=\"-webkit-appearance:radio;\">|<br></colgroup>"
+      "</table>",
+      GetSelectionTextFromBody(Selection().GetSelectionInDOMTree()));
+}
+
+// http://crbug.com/777378
+TEST_F(InsertParagraphSeparatorCommandTest,
+       CrashWithAppearanceStyleOnEmptyColumn) {
+  Selection().SetSelection(
+      SetSelectionTextToBody("<table contenteditable>"
+                             "    <colgroup style='-webkit-appearance:radio;'>"
+                             "        <col><!--|--></col>"
+                             "    </colgroup>"
+                             "</table>"));
+
+  InsertParagraphSeparatorCommand* command =
+      InsertParagraphSeparatorCommand::Create(GetDocument());
+  // Crash should not be observed here.
+  command->Apply();
+  EXPECT_EQ(
+      "<table contenteditable>"
+      "    <colgroup style=\"-webkit-appearance:radio;\">|<br>"
+      "        <col>"
+      "    </colgroup>"
+      "</table>",
+      GetSelectionTextFromBody(Selection().GetSelectionInDOMTree()));
+}
+
+}  // namespace blink