Null pointer deference in WebCore::AppendNodeCommand::create
https://bugs.webkit.org/show_bug.cgi?id=116479
Source/WebCore:
Reviewed by Andreas Kling.
Merge https://chromium.googlesource.com/chromium/blink/+/5cb43002a44f67a60ecf5a7ed76de2d0bcf89eb2
DeleteSelection::makeStylingElementsDirectChildrenOfEditableRootToPreventStyleLoss() make style and link elements
to be the direct children of the editable root. However, these style and link elements are not necessary editable
and WebKit crashes when they are not.
Test: editing/deleting/delete-uneditable-style.html
* editing/DeleteSelectionCommand.cpp:
(WebCore::DeleteSelectionCommand::makeStylingElementsDirectChildrenOfEditableRootToPreventStyleLoss):
LayoutTests:
Reviewed by Andreas Kling.
Add a regression test.
* editing/deleting/delete-uneditable-style-expected.txt: Added.
* editing/deleting/delete-uneditable-style.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@150402 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebCore/editing/DeleteSelectionCommand.cpp b/Source/WebCore/editing/DeleteSelectionCommand.cpp
index 43a8ec9..6a65fa1 100644
--- a/Source/WebCore/editing/DeleteSelectionCommand.cpp
+++ b/Source/WebCore/editing/DeleteSelectionCommand.cpp
@@ -426,8 +426,10 @@
if ((node->hasTagName(styleTag) && !(toElement(node.get())->hasAttribute(scopedAttr))) || node->hasTagName(linkTag)) {
nextNode = NodeTraversal::nextSkippingChildren(node.get());
RefPtr<ContainerNode> rootEditableElement = node->rootEditableElement();
- removeNode(node);
- appendNode(node, rootEditableElement);
+ if (rootEditableElement) {
+ removeNode(node);
+ appendNode(node, rootEditableElement);
+ }
}
node = nextNode;
}
