Skip to site navigation (Press enter)

[webkit-changes] [261434] trunk

shihchieh_lee Sat, 09 May 2020 01:08:17 -0700

Title: [261434] trunk

Revision: 261434
Author: [email protected]
Date: 2020-05-09 01:07:27 -0700 (Sat, 09 May 2020)

Log Message

Nullptr crash in LegacyWebArchive::createPropertyListRepresentation when copying selected range that contains surrogate characters
https://bugs.webkit.org/show_bug.cgi?id=211658
<rdar://problem/62844424>


Reviewed by Ryosuke Niwa.

Source/WebCore:

Added check for null LegacyWebArchive in LegacyWebArchive::createFromSelection. Return nullptr when creation fails.

Test: webarchive/copy-surrogate-char-crash.html

* loader/archive/cf/LegacyWebArchive.cpp:
(WebCore::LegacyWebArchive::createFromSelection):

LayoutTests:

Added a regression test for the crash.

* webarchive/copy-surrogate-char-crash-expected.txt: Added.
* webarchive/copy-surrogate-char-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/loader/archive/cf/LegacyWebArchive.cpp

Added Paths

trunk/LayoutTests/webarchive/copy-surrogate-char-crash-expected.txt
trunk/LayoutTests/webarchive/copy-surrogate-char-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (261433 => 261434)


--- trunk/LayoutTests/ChangeLog	2020-05-09 07:00:41 UTC (rev 261433)
+++ trunk/LayoutTests/ChangeLog	2020-05-09 08:07:27 UTC (rev 261434)
@@ -1,3 +1,16 @@
+2020-05-09  Jack Lee  <[email protected]>
+
+        Nullptr crash in LegacyWebArchive::createPropertyListRepresentation when copying selected range that contains surrogate characters
+        https://bugs.webkit.org/show_bug.cgi?id=211658
+        <rdar://problem/62844424>
+
+        Reviewed by Ryosuke Niwa.
+
+        Added a regression test for the crash.
+
+        * webarchive/copy-surrogate-char-crash-expected.txt: Added.
+        * webarchive/copy-surrogate-char-crash.html: Added.
+
 2020-05-08  Diego Pino Garcia  <[email protected]>
 
         [GTK] Gardening, update expectations after revert of r261341 and r261392

Added: trunk/LayoutTests/webarchive/copy-surrogate-char-crash-expected.txt (0 => 261434)


--- trunk/LayoutTests/webarchive/copy-surrogate-char-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/webarchive/copy-surrogate-char-crash-expected.txt	2020-05-09 08:07:27 UTC (rev 261434)
@@ -0,0 +1 @@
+"Tests copying selected range that contains surrogate characters. The test passes if WebKit doesn't crash or hit an ssertion."

Added: trunk/LayoutTests/webarchive/copy-surrogate-char-crash.html (0 => 261434)


--- trunk/LayoutTests/webarchive/copy-surrogate-char-crash.html	                        (rev 0)
+++ trunk/LayoutTests/webarchive/copy-surrogate-char-crash.html	2020-05-09 08:07:27 UTC (rev 261434)
@@ -0,0 +1,11 @@
+<body><span id=span></span><span>"Tests copying selected range that contains surrogate characters. The test passes if WebKit doesn't crash or hit an ssertion."</span>
+<script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+        
+    span.offsetParent.before(document.createElement("frameset"));
+    span.prepend("\ud800");
+    document.execCommand("selectAll", true);
+    document.execCommand("copy", true);
+    document.getElementById("span").remove();
+</script>

Modified: trunk/Source/WebCore/ChangeLog (261433 => 261434)


--- trunk/Source/WebCore/ChangeLog	2020-05-09 07:00:41 UTC (rev 261433)
+++ trunk/Source/WebCore/ChangeLog	2020-05-09 08:07:27 UTC (rev 261434)
@@ -1,3 +1,18 @@
+2020-05-09  Jack Lee  <[email protected]>
+
+        Nullptr crash in LegacyWebArchive::createPropertyListRepresentation when copying selected range that contains surrogate characters
+        https://bugs.webkit.org/show_bug.cgi?id=211658
+        <rdar://problem/62844424>
+
+        Reviewed by Ryosuke Niwa.
+
+        Added check for null LegacyWebArchive in LegacyWebArchive::createFromSelection. Return nullptr when creation fails.
+
+        Test: webarchive/copy-surrogate-char-crash.html
+
+        * loader/archive/cf/LegacyWebArchive.cpp:
+        (WebCore::LegacyWebArchive::createFromSelection):
+
 2020-05-09  Tetsuharu Ohzeki  <[email protected]>
 
         Fix wpt shadow-dom/slots-fallback-in-document.html

Modified: trunk/Source/WebCore/loader/archive/cf/LegacyWebArchive.cpp (261433 => 261434)


--- trunk/Source/WebCore/loader/archive/cf/LegacyWebArchive.cpp	2020-05-09 07:00:41 UTC (rev 261433)
+++ trunk/Source/WebCore/loader/archive/cf/LegacyWebArchive.cpp	2020-05-09 08:07:27 UTC (rev 261434)
@@ -605,7 +605,9 @@
     builder.append(serializePreservingVisualAppearance(frame->selection().selection(), ResolveURLs::No, serializeComposedTree, &nodeList));
 
     auto archive = create(builder.toString(), *frame, nodeList, nullptr);
-    
+    if (!archive)
+        return nullptr;
+
     if (!document->isFrameSet())
         return archive;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes