Title: [288308] releases/WebKitGTK/webkit-2.34
- Revision
- 288308
- Author
- ape...@igalia.com
- Date
- 2022-01-20 11:08:25 -0800 (Thu, 20 Jan 2022)
Log Message
Merge r288052 - null ptr deref in WebCore::ReplaceSelectionCommand::moveNodeOutOfAncestor()
https://bugs.webkit.org/show_bug.cgi?id=233463
Patch by Frederic Wang <fw...@igalia.com> on 2022-01-14
Reviewed by Wenson Hsieh.
Source/WebCore:
One line of ReplaceSelectionCommand::moveNodeOutOfAncestor() assumes that the pointer
ancestor.parentNode() is non-null. However, the call to removeNode(node) just before can
lead to arbitrary tree mutations that leaves the ancestor orphan, causing a nullptr deref.
This patch mitigates that issue by exiting early if that situation happens.
* editing/ReplaceSelectionCommand.cpp:
(WebCore::ReplaceSelectionCommand::moveNodeOutOfAncestor): Exit early if the ancestor
is no longer connected.
LayoutTests:
Add non-regression test.
* editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash-expected.txt: Added.
* editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash.html: Added.
* editing/execCommand/resources/paste-as-quotation-disconnected-paragraph-ancestor-crash-iframe.html: Added.
* platform/win/TestExpectations: Skip test on windows, as the test seems to shift expectations with text output
of other execCommand tests.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.34/LayoutTests/ChangeLog (288307 => 288308)
--- releases/WebKitGTK/webkit-2.34/LayoutTests/ChangeLog 2022-01-20 18:43:21 UTC (rev 288307)
+++ releases/WebKitGTK/webkit-2.34/LayoutTests/ChangeLog 2022-01-20 19:08:25 UTC (rev 288308)
@@ -1,3 +1,18 @@
+2022-01-14 Frederic Wang <fw...@igalia.com>
+
+ null ptr deref in WebCore::ReplaceSelectionCommand::moveNodeOutOfAncestor()
+ https://bugs.webkit.org/show_bug.cgi?id=233463
+
+ Reviewed by Wenson Hsieh.
+
+ Add non-regression test.
+
+ * editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash-expected.txt: Added.
+ * editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash.html: Added.
+ * editing/execCommand/resources/paste-as-quotation-disconnected-paragraph-ancestor-crash-iframe.html: Added.
+ * platform/win/TestExpectations: Skip test on windows, as the test seems to shift expectations with text output
+ of other execCommand tests.
+
2022-01-10 Alan Bujtas <za...@apple.com>
null ptr deref in WebCore::LayoutIntegration::LineLayout::collectOverflow()
Added: releases/WebKitGTK/webkit-2.34/LayoutTests/editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash-expected.txt (0 => 288308)
--- releases/WebKitGTK/webkit-2.34/LayoutTests/editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.34/LayoutTests/editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash-expected.txt 2022-01-20 19:08:25 UTC (rev 288308)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: This test PASS if it does not crash.
+
Added: releases/WebKitGTK/webkit-2.34/LayoutTests/editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash.html (0 => 288308)
--- releases/WebKitGTK/webkit-2.34/LayoutTests/editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.34/LayoutTests/editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash.html 2022-01-20 19:08:25 UTC (rev 288308)
@@ -0,0 +1,21 @@
+<script>
+ async function loadFrame(url) {
+ await new Promise(resolve => {
+ window.addEventListener('message', resolve, {once: true});
+ let iframe = document.createElement('iframe');
+ iframe.src = ""
+ document.body.appendChild(iframe);
+ });
+ }
+
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ console.log("This test PASS if it does not crash.")
+ }
+
+ _onload_ = () => {
+ loadFrame('resources/paste-as-quotation-disconnected-paragraph-ancestor-crash-iframe.html');
+ testRunner.notifyDone();
+ };
+</script>
Added: releases/WebKitGTK/webkit-2.34/LayoutTests/editing/execCommand/resources/paste-as-quotation-disconnected-paragraph-ancestor-crash-iframe.html (0 => 288308)
--- releases/WebKitGTK/webkit-2.34/LayoutTests/editing/execCommand/resources/paste-as-quotation-disconnected-paragraph-ancestor-crash-iframe.html (rev 0)
+++ releases/WebKitGTK/webkit-2.34/LayoutTests/editing/execCommand/resources/paste-as-quotation-disconnected-paragraph-ancestor-crash-iframe.html 2022-01-20 19:08:25 UTC (rev 288308)
@@ -0,0 +1,30 @@
+<script>
+ async function foo() {
+ document.body.appendChild(document.createElement('table'));
+ let iframe0 = document.createElement('iframe');
+ iframe0.src = '';
+ document.body.appendChild(iframe0);
+ document.execCommand('SelectAll');
+ document.execCommand('Copy');
+ iframe0.remove();
+ if (window.caches)
+ await caches.has('a');
+ document.body.append(document.createElement('p'));
+ document.designMode = 'on';
+ document.execCommand('SelectAll');
+ document.execCommand('InsertHTML', false, 'a');
+ visualViewport._onresize_ = () => {
+ document.execCommand('PasteAsQuotation');
+ parent.postMessage('done');
+ };
+ document.head.appendChild(document.createElement('style'));
+ document.styleSheets[0].insertRule('p { width: 200%; height: 200%; }');
+ document.execCommand('PasteAsQuotation');
+ }
+
+ _onload_ = () => {
+ let s0 = document.createElement('script');
+ document.head.appendChild(s0);
+ s0.src = ""
+ }
+</script>
Modified: releases/WebKitGTK/webkit-2.34/LayoutTests/platform/win/TestExpectations (288307 => 288308)
--- releases/WebKitGTK/webkit-2.34/LayoutTests/platform/win/TestExpectations 2022-01-20 18:43:21 UTC (rev 288307)
+++ releases/WebKitGTK/webkit-2.34/LayoutTests/platform/win/TestExpectations 2022-01-20 19:08:25 UTC (rev 288308)
@@ -315,6 +315,7 @@
# TODO Need to add functionality to DumpRenderTree to handle scrollbar policy changes
fast/overflow/scrollbar-restored-and-then-locked.html [ Skip ]
+editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash.html [ Skip ]
storage/indexeddb/clone-exception.html [ Timeout ]
storage/indexeddb/database-odd-names.html [ Timeout Failure ]
storage/indexeddb/primary-key-unique-to-objectstore.html [ Timeout ]
Modified: releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog (288307 => 288308)
--- releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog 2022-01-20 18:43:21 UTC (rev 288307)
+++ releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog 2022-01-20 19:08:25 UTC (rev 288308)
@@ -1,3 +1,19 @@
+2022-01-14 Frederic Wang <fw...@igalia.com>
+
+ null ptr deref in WebCore::ReplaceSelectionCommand::moveNodeOutOfAncestor()
+ https://bugs.webkit.org/show_bug.cgi?id=233463
+
+ Reviewed by Wenson Hsieh.
+
+ One line of ReplaceSelectionCommand::moveNodeOutOfAncestor() assumes that the pointer
+ ancestor.parentNode() is non-null. However, the call to removeNode(node) just before can
+ lead to arbitrary tree mutations that leaves the ancestor orphan, causing a nullptr deref.
+ This patch mitigates that issue by exiting early if that situation happens.
+
+ * editing/ReplaceSelectionCommand.cpp:
+ (WebCore::ReplaceSelectionCommand::moveNodeOutOfAncestor): Exit early if the ancestor
+ is no longer connected.
+
2022-01-10 Alan Bujtas <za...@apple.com>
null ptr deref in WebCore::LayoutIntegration::LineLayout::collectOverflow()
Modified: releases/WebKitGTK/webkit-2.34/Source/WebCore/editing/ReplaceSelectionCommand.cpp (288307 => 288308)
--- releases/WebKitGTK/webkit-2.34/Source/WebCore/editing/ReplaceSelectionCommand.cpp 2022-01-20 18:43:21 UTC (rev 288307)
+++ releases/WebKitGTK/webkit-2.34/Source/WebCore/editing/ReplaceSelectionCommand.cpp 2022-01-20 19:08:25 UTC (rev 288308)
@@ -830,6 +830,8 @@
VisiblePosition lastPositionInParagraph = lastPositionInNode(&ancestor);
if (positionAtEndOfNode == lastPositionInParagraph) {
removeNode(node);
+ if (!ancestor.isConnected())
+ return;
if (ancestor.nextSibling())
insertNodeBefore(WTFMove(protectedNode), *ancestor.nextSibling());
else
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
