Title: [288052] trunk
- Revision
- 288052
- Author
- [email protected]
- Date
- 2022-01-14 23:00:43 -0800 (Fri, 14 Jan 2022)
Log Message
null ptr deref in WebCore::ReplaceSelectionCommand::moveNodeOutOfAncestor()
https://bugs.webkit.org/show_bug.cgi?id=233463
Patch by Frederic Wang <[email protected]> on 2022-01-14
Reviewed by Wenson Hsieh.
Source/WebCore:
One line of ReplaceSelectionCommand::moveNodeOutOfAncestor() assumes that the pointer
ancestor.parentNode() is non-null. However, the call to removeNode(node) just before can
lead to arbitrary tree mutations that leaves the ancestor orphan, causing a nullptr deref.
This patch mitigates that issue by exiting early if that situation happens.
* editing/ReplaceSelectionCommand.cpp:
(WebCore::ReplaceSelectionCommand::moveNodeOutOfAncestor): Exit early if the ancestor
is no longer connected.
LayoutTests:
Add non-regression test.
* editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash-expected.txt: Added.
* editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash.html: Added.
* editing/execCommand/resources/paste-as-quotation-disconnected-paragraph-ancestor-crash-iframe.html: Added.
* platform/win/TestExpectations: Skip test on windows, as the test seems to shift expectations with text output
of other execCommand tests.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (288051 => 288052)
--- trunk/LayoutTests/ChangeLog 2022-01-15 04:16:24 UTC (rev 288051)
+++ trunk/LayoutTests/ChangeLog 2022-01-15 07:00:43 UTC (rev 288052)
@@ -1,3 +1,18 @@
+2022-01-14 Frederic Wang <[email protected]>
+
+ null ptr deref in WebCore::ReplaceSelectionCommand::moveNodeOutOfAncestor()
+ https://bugs.webkit.org/show_bug.cgi?id=233463
+
+ Reviewed by Wenson Hsieh.
+
+ Add non-regression test.
+
+ * editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash-expected.txt: Added.
+ * editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash.html: Added.
+ * editing/execCommand/resources/paste-as-quotation-disconnected-paragraph-ancestor-crash-iframe.html: Added.
+ * platform/win/TestExpectations: Skip test on windows, as the test seems to shift expectations with text output
+ of other execCommand tests.
+
2022-01-13 Myles C. Maxfield <[email protected]>
[macOS WK1] fast/canvas/large-getImageData.html is consistently failing
Added: trunk/LayoutTests/editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash-expected.txt (0 => 288052)
--- trunk/LayoutTests/editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash-expected.txt 2022-01-15 07:00:43 UTC (rev 288052)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: This test PASS if it does not crash.
+
Added: trunk/LayoutTests/editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash.html (0 => 288052)
--- trunk/LayoutTests/editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash.html (rev 0)
+++ trunk/LayoutTests/editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash.html 2022-01-15 07:00:43 UTC (rev 288052)
@@ -0,0 +1,21 @@
+<script>
+ async function loadFrame(url) {
+ await new Promise(resolve => {
+ window.addEventListener('message', resolve, {once: true});
+ let iframe = document.createElement('iframe');
+ iframe.src = ""
+ document.body.appendChild(iframe);
+ });
+ }
+
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ console.log("This test PASS if it does not crash.")
+ }
+
+ _onload_ = () => {
+ loadFrame('resources/paste-as-quotation-disconnected-paragraph-ancestor-crash-iframe.html');
+ testRunner.notifyDone();
+ };
+</script>
Added: trunk/LayoutTests/editing/execCommand/resources/paste-as-quotation-disconnected-paragraph-ancestor-crash-iframe.html (0 => 288052)
--- trunk/LayoutTests/editing/execCommand/resources/paste-as-quotation-disconnected-paragraph-ancestor-crash-iframe.html (rev 0)
+++ trunk/LayoutTests/editing/execCommand/resources/paste-as-quotation-disconnected-paragraph-ancestor-crash-iframe.html 2022-01-15 07:00:43 UTC (rev 288052)
@@ -0,0 +1,30 @@
+<script>
+ async function foo() {
+ document.body.appendChild(document.createElement('table'));
+ let iframe0 = document.createElement('iframe');
+ iframe0.src = '';
+ document.body.appendChild(iframe0);
+ document.execCommand('SelectAll');
+ document.execCommand('Copy');
+ iframe0.remove();
+ if (window.caches)
+ await caches.has('a');
+ document.body.append(document.createElement('p'));
+ document.designMode = 'on';
+ document.execCommand('SelectAll');
+ document.execCommand('InsertHTML', false, 'a');
+ visualViewport._onresize_ = () => {
+ document.execCommand('PasteAsQuotation');
+ parent.postMessage('done');
+ };
+ document.head.appendChild(document.createElement('style'));
+ document.styleSheets[0].insertRule('p { width: 200%; height: 200%; }');
+ document.execCommand('PasteAsQuotation');
+ }
+
+ _onload_ = () => {
+ let s0 = document.createElement('script');
+ document.head.appendChild(s0);
+ s0.src = ""
+ }
+</script>
Modified: trunk/LayoutTests/platform/win/TestExpectations (288051 => 288052)
--- trunk/LayoutTests/platform/win/TestExpectations 2022-01-15 04:16:24 UTC (rev 288051)
+++ trunk/LayoutTests/platform/win/TestExpectations 2022-01-15 07:00:43 UTC (rev 288052)
@@ -331,6 +331,7 @@
# TODO Need to add functionality to DumpRenderTree to handle scrollbar policy changes
fast/overflow/scrollbar-restored-and-then-locked.html [ Skip ]
+editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash.html [ Skip ]
storage/indexeddb/clone-exception.html [ Timeout ]
storage/indexeddb/database-odd-names.html [ Timeout Failure ]
storage/indexeddb/primary-key-unique-to-objectstore.html [ Timeout ]
Modified: trunk/Source/WebCore/ChangeLog (288051 => 288052)
--- trunk/Source/WebCore/ChangeLog 2022-01-15 04:16:24 UTC (rev 288051)
+++ trunk/Source/WebCore/ChangeLog 2022-01-15 07:00:43 UTC (rev 288052)
@@ -1,3 +1,19 @@
+2022-01-14 Frederic Wang <[email protected]>
+
+ null ptr deref in WebCore::ReplaceSelectionCommand::moveNodeOutOfAncestor()
+ https://bugs.webkit.org/show_bug.cgi?id=233463
+
+ Reviewed by Wenson Hsieh.
+
+ One line of ReplaceSelectionCommand::moveNodeOutOfAncestor() assumes that the pointer
+ ancestor.parentNode() is non-null. However, the call to removeNode(node) just before can
+ lead to arbitrary tree mutations that leaves the ancestor orphan, causing a nullptr deref.
+ This patch mitigates that issue by exiting early if that situation happens.
+
+ * editing/ReplaceSelectionCommand.cpp:
+ (WebCore::ReplaceSelectionCommand::moveNodeOutOfAncestor): Exit early if the ancestor
+ is no longer connected.
+
2022-01-14 Alan Bujtas <[email protected]>
[Cleanup] Remove redundant (and incorrect) RenderStyle::isDisplayReplacedType
Modified: trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp (288051 => 288052)
--- trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp 2022-01-15 04:16:24 UTC (rev 288051)
+++ trunk/Source/WebCore/editing/ReplaceSelectionCommand.cpp 2022-01-15 07:00:43 UTC (rev 288052)
@@ -837,6 +837,8 @@
VisiblePosition lastPositionInParagraph = lastPositionInNode(&ancestor);
if (positionAtEndOfNode == lastPositionInParagraph) {
removeNode(node);
+ if (!ancestor.isConnected())
+ return;
if (ancestor.nextSibling())
insertNodeBefore(WTFMove(protectedNode), *ancestor.nextSibling());
else
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
