Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 869d5c55313783da5714584b7db649435dbb16b0
https://github.com/WebKit/WebKit/commit/869d5c55313783da5714584b7db649435dbb16b0
Author: Aditya Keerthi <[email protected]>
Date: 2026-05-29 (Fri, 29 May 2026)
Changed paths:
A
LayoutTests/fast/forms/date/date-editable-components/date-editable-components-change-type-on-input-event-expected.txt
A
LayoutTests/fast/forms/date/date-editable-components/date-editable-components-change-type-on-input-event.html
M Source/WebCore/html/BaseDateAndTimeInputType.cpp
M Source/WebCore/html/BaseDateAndTimeInputType.h
M Source/WebCore/html/shadow/DateTimeEditElement.cpp
M Source/WebCore/html/shadow/DateTimeEditElement.h
Log Message:
-----------
Use-After-Free in `BaseDateAndTimeInputType::didChangeValueFromControl`
https://bugs.webkit.org/show_bug.cgi?id=310544
rdar://173012873
Reviewed by Abrar Rahman Protyasha and Lily Spiniolas.
`BaseDateAndTimeInputType::didChangeValueFromControl()` dispatches `input`
events without protecting itself. An event handler can change the input's type
(e.g., from `date` to `text`), which replaces `HTMLInputElement::m_inputType`
and destroys the `BaseDateAndTimeInputType` instance. After the event handler
returns, the function continues executing `setupDateTimeChooserParameters()`
and `showDateTimeChooser()` on the freed object, resulting in a use-after-free.
Fix by holding a `RefPtr` to the input type on the stack prior to calling
`didChangeValueFromControl()`.
Test:
fast/forms/date/date-editable-components/date-editable-components-change-type-on-input-event.html
*
LayoutTests/fast/forms/date/date-editable-components/date-editable-components-change-type-on-input-event-expected.txt:
Added.
*
LayoutTests/fast/forms/date/date-editable-components/date-editable-components-change-type-on-input-event.html:
Added.
* Source/WebCore/html/BaseDateAndTimeInputType.cpp:
(WebCore::BaseDateAndTimeInputType::setupDateTimeChooserParameters):
Fix `setupDateTimeChooserParameters` to null-check element() instead of
of asserting, since the element may be gone after the type change.
* Source/WebCore/html/BaseDateAndTimeInputType.h:
* Source/WebCore/html/shadow/DateTimeEditElement.cpp:
(WebCore::DateTimeEditElement::defaultEventHandler):
(WebCore::DateTimeEditElement::didBlurFromField):
(WebCore::DateTimeEditElement::fieldValueChanged):
(WebCore::DateTimeEditElement::isFieldOwnerDisabled const):
(WebCore::DateTimeEditElement::isFieldOwnerReadOnly const):
(WebCore::DateTimeEditElement::didFieldOwnerTransferFocusToPicker):
(WebCore::DateTimeEditElement::didSuppressBlurDueToPickerFocusTransfer):
(WebCore::DateTimeEditElement::localeIdentifier const):
(WebCore::DateTimeEditElement::value const):
(WebCore::DateTimeEditElement::placeholderValue const):
* Source/WebCore/html/shadow/DateTimeEditElement.h:
Change the base class of `DateTimeEditElementEditControlOwner` from
`CanMakeWeakPtr<DateTimeEditElementEditControlOwner>` to
`AbstractRefCountedAndCanMakeWeakPtr<DateTimeEditElementEditControlOwner>`,
so that the object may be ref-counted.
Remove the `IsDeprecatedWeakRefSmartPointerException` exception, since
`DateTimeEditElementEditControlOwner` needs to be ref-counted to avoid
use-after-free.
Originally-landed-as: 305413.565@rapid/safari-7624.2.5.110-branch
(f49e83162fdd). rdar://176061451
Canonical link: https://commits.webkit.org/314162@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
