[webkit-changes] [279371] trunk

Tue, 29 Jun 2021 05:07:34 -0700

Title: [279371] trunk
Revision
279371
Author
[email protected]
Date
2021-06-29 05:06:41 -0700 (Tue, 29 Jun 2021)

Log Message

Nullptr crash in HTMLStackItem::create via DocumentFragment::parseHTML
https://bugs.webkit.org/show_bug.cgi?id=227390

Patch by Rob Buis <[email protected]> on 2021-06-29
Reviewed by Ryosuke Niwa.

Source/WebCore:

DOM manipulation can mean document.body() can return null, causing the
crash/ASSERT in DocumentFragment::parseHTML in the test case. Since the
only use of it was to force InBody insertion mode, instead use a fake body element.

Test: editing/pasteboard/paste-create-fragment-crash.html

* editing/cocoa/WebContentReaderCocoa.mm:
(WebCore::createFragment):

LayoutTests:

Add test for this.

* editing/pasteboard/paste-create-fragment-crash-expected.txt: Added.
* editing/pasteboard/paste-create-fragment-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (279370 => 279371)


--- trunk/LayoutTests/ChangeLog	2021-06-29 09:38:57 UTC (rev 279370)
+++ trunk/LayoutTests/ChangeLog	2021-06-29 12:06:41 UTC (rev 279371)
@@ -1,5 +1,17 @@
 2021-06-29  Rob Buis  <[email protected]>
 
+        Nullptr crash in HTMLStackItem::create via DocumentFragment::parseHTML
+        https://bugs.webkit.org/show_bug.cgi?id=227390
+
+        Reviewed by Ryosuke Niwa.
+
+        Add test for this.
+
+        * editing/pasteboard/paste-create-fragment-crash-expected.txt: Added.
+        * editing/pasteboard/paste-create-fragment-crash.html: Added.
+
+2021-06-29  Rob Buis  <[email protected]>
+
         Crash in SharedBuffer::data
         https://bugs.webkit.org/show_bug.cgi?id=227173

Added: trunk/LayoutTests/editing/pasteboard/paste-create-fragment-crash-expected.txt (0 => 279371)


--- trunk/LayoutTests/editing/pasteboard/paste-create-fragment-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/pasteboard/paste-create-fragment-crash-expected.txt	2021-06-29 12:06:41 UTC (rev 279371)
@@ -0,0 +1 @@
+Test passes if it does not crash

Added: trunk/LayoutTests/editing/pasteboard/paste-create-fragment-crash.html (0 => 279371)


--- trunk/LayoutTests/editing/pasteboard/paste-create-fragment-crash.html	                        (rev 0)
+++ trunk/LayoutTests/editing/pasteboard/paste-create-fragment-crash.html	2021-06-29 12:06:41 UTC (rev 279371)
@@ -0,0 +1,21 @@
+<script>
+  _onload_ = () => {
+    if (!window.testRunner)
+      return;
+    testRunner.waitUntilDone();
+    testRunner.dumpAsText();
+    document.documentElement.prepend('\ud800');
+    getSelection().collapse(document.head, 1);
+    getSelection().extend(document.head);
+    document.designMode = 'on';
+    document.execCommand('InsertParagraph');
+    document.execCommand('SelectAll');
+    document.execCommand('Copy');
+    document.execCommand('Paste');
+    setTimeout(() => {
+        document.documentElement.innerHTML = "Test passes if it does not crash";
+        testRunner.notifyDone();
+    });
+  };
+</script>
+

Modified: trunk/Source/WebCore/ChangeLog (279370 => 279371)


--- trunk/Source/WebCore/ChangeLog	2021-06-29 09:38:57 UTC (rev 279370)
+++ trunk/Source/WebCore/ChangeLog	2021-06-29 12:06:41 UTC (rev 279371)
@@ -1,5 +1,21 @@
 2021-06-29  Rob Buis  <[email protected]>
 
+        Nullptr crash in HTMLStackItem::create via DocumentFragment::parseHTML
+        https://bugs.webkit.org/show_bug.cgi?id=227390
+
+        Reviewed by Ryosuke Niwa.
+
+        DOM manipulation can mean document.body() can return null, causing the
+        crash/ASSERT in DocumentFragment::parseHTML in the test case. Since the
+        only use of it was to force InBody insertion mode, instead use a fake body element.
+
+        Test: editing/pasteboard/paste-create-fragment-crash.html
+
+        * editing/cocoa/WebContentReaderCocoa.mm:
+        (WebCore::createFragment):
+
+2021-06-29  Rob Buis  <[email protected]>
+
         Crash in SharedBuffer::data
         https://bugs.webkit.org/show_bug.cgi?id=227173

Modified: trunk/Source/WebCore/editing/cocoa/WebContentReaderCocoa.mm (279370 => 279371)


--- trunk/Source/WebCore/editing/cocoa/WebContentReaderCocoa.mm	2021-06-29 09:38:57 UTC (rev 279370)
+++ trunk/Source/WebCore/editing/cocoa/WebContentReaderCocoa.mm	2021-06-29 12:06:41 UTC (rev 279371)
@@ -145,7 +145,8 @@
     NSArray *subresources = nil;
     NSString *fragmentString = [string _htmlDocumentFragmentString:NSMakeRange(0, [string length]) documentAttributes:attributesForAttributedStringConversion() subresources:&subresources];
     auto fragment = DocumentFragment::create(document);
-    fragment->parseHTML(fragmentString, document.body(), DisallowScriptingAndPluginContent);
+    auto dummyBodyToForceInBodyInsertionMode = HTMLBodyElement::create(document);
+    fragment->parseHTML(fragmentString, dummyBodyToForceInBodyInsertionMode.ptr(), DisallowScriptingAndPluginContent);
 
     result.fragment = WTFMove(fragment);
     for (WebArchiveResourceFromNSAttributedString *resource in subresources)

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to