[webkit-changes] [287118] trunk

Wed, 15 Dec 2021 16:56:48 -0800

Title: [287118] trunk
Revision
287118
Author
commit-qu...@webkit.org
Date
2021-12-15 16:55:58 -0800 (Wed, 15 Dec 2021)

Log Message

null ptr deref in WebCore::ApplyStyleCommand::applyRelativeFontStyleChange
https://bugs.webkit.org/show_bug.cgi?id=234312

Patch by Gabriel Nava Marino <gnavamar...@apple.com> on 2021-12-15
Reviewed by Chris Dumez.

Source/WebCore:

In some situations calling ApplyStyleCommand::nodeFullySelected forces layout in a
way that disconnects the element. In this situation, we now break out of iteration.

We also add an isOrphan() check in ApplyStyleCommand::applyInlineStyle given
the possibility of this scenario.

Test: fast/editing/apply-relative-font-style-change-crash-004.html

* editing/ApplyStyleCommand.cpp:
(WebCore::ApplyStyleCommand::applyRelativeFontStyleChange):
(WebCore::ApplyStyleCommand::applyInlineStyle):

LayoutTests:

* TestExpectations:
* fast/editing/apply-relative-font-style-change-crash-004-expected.txt: Added.
* fast/editing/apply-relative-font-style-change-crash-004.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (287117 => 287118)


--- trunk/LayoutTests/ChangeLog	2021-12-16 00:55:07 UTC (rev 287117)
+++ trunk/LayoutTests/ChangeLog	2021-12-16 00:55:58 UTC (rev 287118)
@@ -1,3 +1,14 @@
+2021-12-15  Gabriel Nava Marino  <gnavamar...@apple.com>
+
+        null ptr deref in WebCore::ApplyStyleCommand::applyRelativeFontStyleChange
+        https://bugs.webkit.org/show_bug.cgi?id=234312
+
+        Reviewed by Chris Dumez.
+
+        * TestExpectations:
+        * fast/editing/apply-relative-font-style-change-crash-004-expected.txt: Added.
+        * fast/editing/apply-relative-font-style-change-crash-004.html: Added.
+
 2021-12-15  J Pascoe  <j_pas...@apple.com>
 
         [WebAuthn] Allow same-site, cross-origin iframe get()

Modified: trunk/LayoutTests/TestExpectations (287117 => 287118)


--- trunk/LayoutTests/TestExpectations	2021-12-16 00:55:07 UTC (rev 287117)
+++ trunk/LayoutTests/TestExpectations	2021-12-16 00:55:58 UTC (rev 287118)
@@ -3377,6 +3377,9 @@
 fast/text/design-system-ui-15.html [ ImageOnlyFailure ]
 fast/text/design-system-ui-16.html [ ImageOnlyFailure ]
 
+# This is a crash test.
+fast/editing/apply-relative-font-style-change-crash-004.html [ Pass Failure ]
+
 # This is a crash test. The result is ignored for now.
 imported/w3c/web-platform-tests/shadow-dom/imperative-slot-assign-not-slotable-crash.html [ Pass Failure ]

Added: trunk/LayoutTests/fast/editing/apply-relative-font-style-change-crash-004-expected.txt (0 => 287118)


--- trunk/LayoutTests/fast/editing/apply-relative-font-style-change-crash-004-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/editing/apply-relative-font-style-change-crash-004-expected.txt	2021-12-16 00:55:58 UTC (rev 287118)
@@ -0,0 +1,41 @@
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: This test passes if it does not crash.
+a
+

Added: trunk/LayoutTests/fast/editing/apply-relative-font-style-change-crash-004.html (0 => 287118)


--- trunk/LayoutTests/fast/editing/apply-relative-font-style-change-crash-004.html	                        (rev 0)
+++ trunk/LayoutTests/fast/editing/apply-relative-font-style-change-crash-004.html	2021-12-16 00:55:58 UTC (rev 287118)
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<style>
+  video {
+    appearance: push-button;
+  }
+</style>
+<script>
+  _onerror_ = () => {
+      document.execCommand('InsertOrderedList');
+  };
+  document._onbeforeinput_ = () => {
+    document.execCommand('FontSizeDelta', false, '2');
+  };
+  _onload_ = () => {
+    document.body.append('a');
+    let video0 = document.createElement('video');
+    video0.controls = true;
+    document.body.appendChild(video0);
+    document.designMode = 'on';
+    document.body.appendChild(document.createElement('input'));
+    document.execCommand('SelectAll');
+    document.execCommand('InsertText', false, '');
+    if (window.testRunner)
+        testRunner.dumpAsText();
+    console.log("This test passes if it does not crash.");
+  };
+</script>

Modified: trunk/Source/WebCore/ChangeLog (287117 => 287118)


--- trunk/Source/WebCore/ChangeLog	2021-12-16 00:55:07 UTC (rev 287117)
+++ trunk/Source/WebCore/ChangeLog	2021-12-16 00:55:58 UTC (rev 287118)
@@ -1,3 +1,22 @@
+2021-12-15  Gabriel Nava Marino  <gnavamar...@apple.com>
+
+        null ptr deref in WebCore::ApplyStyleCommand::applyRelativeFontStyleChange
+        https://bugs.webkit.org/show_bug.cgi?id=234312
+
+        Reviewed by Chris Dumez.
+
+        In some situations calling ApplyStyleCommand::nodeFullySelected forces layout in a
+        way that disconnects the element. In this situation, we now break out of iteration.
+
+        We also add an isOrphan() check in ApplyStyleCommand::applyInlineStyle given
+        the possibility of this scenario.
+
+        Test: fast/editing/apply-relative-font-style-change-crash-004.html
+
+        * editing/ApplyStyleCommand.cpp:
+        (WebCore::ApplyStyleCommand::applyRelativeFontStyleChange):
+        (WebCore::ApplyStyleCommand::applyInlineStyle):
+
 2021-12-15  J Pascoe  <j_pas...@apple.com>
 
         [WebAuthn] Allow same-site, cross-origin iframe get()

Modified: trunk/Source/WebCore/editing/ApplyStyleCommand.cpp (287117 => 287118)


--- trunk/Source/WebCore/editing/ApplyStyleCommand.cpp	2021-12-16 00:55:07 UTC (rev 287117)
+++ trunk/Source/WebCore/editing/ApplyStyleCommand.cpp	2021-12-16 00:55:58 UTC (rev 287118)
@@ -385,8 +385,11 @@
         RefPtr<HTMLElement> element;
         if (is<HTMLElement>(*node)) {
             // Only work on fully selected nodes.
-            if (!nodeFullySelected(downcast<HTMLElement>(*node), start, end))
+            if (!nodeFullySelected(downcast<HTMLElement>(*node), start, end)) {
+                if (!node->isConnected())
+                    break;
                 continue;
+            }
             element = &downcast<HTMLElement>(*node);
         } else if (is<Text>(*node) && node->renderer() && node->parentNode() != lastStyledNode) {
             // Last styled node was not parent node of this text node, but we wish to style this
@@ -588,7 +591,7 @@
         endDummySpanAncestor = dummySpanAncestorForNode(end.deprecatedNode());
     }
 
-    if (start.isNull() || end.isNull())
+    if (start.isNull() || start.isOrphan() || end.isNull() || end.isOrphan())
         return;
 
     // Remove style from the selection.

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to