[webkit-changes] [252667] trunk

Tue, 19 Nov 2019 17:28:24 -0800

Title: [252667] trunk
Revision
252667
Author
commit-qu...@webkit.org
Date
2019-11-19 17:27:35 -0800 (Tue, 19 Nov 2019)

Log Message

Nullptr crash in Node::setTextContent via Document::setTitle if title element is removed before setTextContent call.
https://bugs.webkit.org/show_bug.cgi?id=204332

Patch by Sunny He <sunny...@apple.com> on 2019-11-19
Reviewed by Ryosuke Niwa.

Source/WebCore:

Test: fast/dom/Document/title-property-set-with-dom-event.html

* dom/Document.cpp:
(WebCore::Document::setTitle):

LayoutTests:

* fast/dom/Document/title-property-set-with-dom-event-expected.txt: Added.
* fast/dom/Document/title-property-set-with-dom-event.html: Added.
* fast/dom/Document/title-property-set-with-dom-event-svg-expected.html: Added.
* fast/dom/Document/title-property-set-with-dom-event-svg.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (252666 => 252667)


--- trunk/LayoutTests/ChangeLog	2019-11-20 01:24:53 UTC (rev 252666)
+++ trunk/LayoutTests/ChangeLog	2019-11-20 01:27:35 UTC (rev 252667)
@@ -1,3 +1,14 @@
+2019-11-19  Sunny He  <sunny...@apple.com>
+
+        Nullptr crash in Node::setTextContent via Document::setTitle if title element is removed before setTextContent call.
+        https://bugs.webkit.org/show_bug.cgi?id=204332
+
+        Reviewed by Ryosuke Niwa.
+
+        * fast/dom/Document/title-property-set-with-dom-event-expected.txt: Added.
+        * fast/dom/Document/title-property-set-with-dom-event.html: Added.
+        * fast/dom/Document/title-property-set-with-dom-event-svg-expected.html: Added.
+        * fast/dom/Document/title-property-set-with-dom-event-svg.html: Added.
 2019-11-19  Jiewen Tan  <jiewen_...@apple.com>
 
         Unreviewed, test gardening

Added: trunk/LayoutTests/fast/dom/Document/title-property-set-with-dom-event-expected.txt (0 => 252667)


--- trunk/LayoutTests/fast/dom/Document/title-property-set-with-dom-event-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/Document/title-property-set-with-dom-event-expected.txt	2019-11-20 01:27:35 UTC (rev 252667)
@@ -0,0 +1 @@
+Test that setting title while there is a registred DOMNodeInserted event handler which indirectly deletes title doesn't crash.

Added: trunk/LayoutTests/fast/dom/Document/title-property-set-with-dom-event-svg-expected.txt (0 => 252667)


--- trunk/LayoutTests/fast/dom/Document/title-property-set-with-dom-event-svg-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/Document/title-property-set-with-dom-event-svg-expected.txt	2019-11-20 01:27:35 UTC (rev 252667)
@@ -0,0 +1 @@
+Test that setting title of a SVG document while there is a registred DOMNodeInserted event handler which indirectly deletes title doesn't crash.

Added: trunk/LayoutTests/fast/dom/Document/title-property-set-with-dom-event-svg.html (0 => 252667)


--- trunk/LayoutTests/fast/dom/Document/title-property-set-with-dom-event-svg.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/Document/title-property-set-with-dom-event-svg.html	2019-11-20 01:27:35 UTC (rev 252667)
@@ -0,0 +1,23 @@
+<html>
+<head>
+<script>
+function test() {
+    if (window.testRunner) {
+        window.testRunner.dumpAsText();
+    }
+    var SVG_NAMESPACE = "http://www.w3.org/2000/svg";
+    var svgDocument = document.implementation.createDocument(SVG_NAMESPACE, "svg", null);
+
+    svgDocument.addEventListener("DOMNodeInserted", () => {
+        var a = svgDocument.querySelector("title").remove();
+    });
+    svgDocument.title = "abc"
+}
+test()
+</script>
+</head>
+<body>
+    <p>Test that setting title of a SVG document while there is a registred DOMNodeInserted event handler which indirectly deletes title doesn't crash.
+    </p>
+</body>
+</html>
\ No newline at end of file

Added: trunk/LayoutTests/fast/dom/Document/title-property-set-with-dom-event.html (0 => 252667)


--- trunk/LayoutTests/fast/dom/Document/title-property-set-with-dom-event.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/Document/title-property-set-with-dom-event.html	2019-11-20 01:27:35 UTC (rev 252667)
@@ -0,0 +1,21 @@
+<html>
+<head>
+<script>
+function test() {
+    if (window.testRunner) {
+        window.testRunner.dumpAsText();
+    }
+
+    window.top.addEventListener("DOMNodeInserted", () => {
+        document.head.innerHTML = 123;
+    }, {once : true});
+    document.title = "abc";
+}
+test()
+</script>
+</head>
+<body>
+    <p>Test that setting title while there is a registred DOMNodeInserted event handler which indirectly deletes title doesn't crash.
+    </p>
+</body>
+</html>
\ No newline at end of file

Modified: trunk/Source/WebCore/ChangeLog (252666 => 252667)


--- trunk/Source/WebCore/ChangeLog	2019-11-20 01:24:53 UTC (rev 252666)
+++ trunk/Source/WebCore/ChangeLog	2019-11-20 01:27:35 UTC (rev 252667)
@@ -1,3 +1,15 @@
+2019-11-19  Sunny He  <sunny...@apple.com>
+
+        Nullptr crash in Node::setTextContent via Document::setTitle if title element is removed before setTextContent call.
+        https://bugs.webkit.org/show_bug.cgi?id=204332
+
+        Reviewed by Ryosuke Niwa.
+
+        Test: fast/dom/Document/title-property-set-with-dom-event.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::setTitle):
+
 2019-11-19  Youenn Fablet  <you...@apple.com>
 
         Introduce a mock implementation of CoreAudioSharedUnit

Modified: trunk/Source/WebCore/dom/Document.cpp (252666 => 252667)


--- trunk/Source/WebCore/dom/Document.cpp	2019-11-20 01:24:53 UTC (rev 252666)
+++ trunk/Source/WebCore/dom/Document.cpp	2019-11-20 01:27:35 UTC (rev 252667)
@@ -1609,7 +1609,9 @@
             m_titleElement = SVGTitleElement::create(SVGNames::titleTag, *this);
             element->insertBefore(*m_titleElement, element->firstChild());
         }
-        m_titleElement->setTextContent(title);
+        // insertBefore above may have ran scripts which removed m_titleElement
+        if (m_titleElement)
+            m_titleElement->setTextContent(title);
     } else if (is<HTMLElement>(element)) {
         if (!m_titleElement) {
             auto* headElement = head();
@@ -1618,7 +1620,9 @@
             m_titleElement = HTMLTitleElement::create(HTMLNames::titleTag, *this);
             headElement->appendChild(*m_titleElement);
         }
-        m_titleElement->setTextContent(title);
+        // appendChild above may have ran scripts which removed m_titleElement
+        if (m_titleElement)
+            m_titleElement->setTextContent(title);
     }
 }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to