Bug 211658

Summary: Nullptr crash in LegacyWebArchive::createPropertyListRepresentation when copying selected range that contains surrogate characters
Product: WebKit Reporter: Jack <shihchieh_lee>
Component: HTML EditingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, ews-feeder, ggaren, product-security, rniwa, webkit-bug-importer, wenson_hsieh
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch none

Description Jack 2020-05-08 20:25:00 PDT 
<rdar://62844424>

0   com.apple.WebCore             	0x000000010b25c4ef WebCore::LegacyWebArchive::createPropertyListRepresentation(WebCore::Archive&) + 47
1   com.apple.WebCore             	0x000000010b25c631 WebCore::LegacyWebArchive::createPropertyListRepresentation(WebCore::Archive&) + 369
2   com.apple.WebCore             	0x0000000109c444db WebCore::LegacyWebArchive::rawDataRepresentation() + 27
3   com.apple.WebCore             	0x000000010a146af9 WebCore::Editor::selectionInWebArchiveFormat() + 57
4   com.apple.WebCore             	0x000000010a1460eb WebCore::Editor::writeSelectionToPasteboard(WebCore::Pasteboard&) + 299
5   com.apple.WebCore             	0x000000010ae8ca37 WebCore::Editor::performCutOrCopy(WebCore::Editor::EditorActionSpecifier) + 535
6   com.apple.WebCore             	0x000000010aeb3287 WebCore::executeCopy(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) + 23
7   com.apple.WebCore             	0x0000000109c327b1 WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) + 81
8   com.apple.WebCore             	0x000000010a02a23a WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::JSGlobalObject*, JSC::CallFrame*) + 426
Comment 1 Jack 2020-05-08 20:25:37 PDT 
<body><span id=span></span>
<script>
    span.offsetParent.before(document.createElement("frameset"));
    span.prepend("\ud800");
    document.execCommand("selectAll", true);
    document.execCommand("copy", true);
</script>

1. In this test case we are processing copy command and try to create LegacyWebArchive to describe the selected elements.
2. One element in the selection contains surrogate pairs so function convertUTF16ToUTF8() fails which makes creation of LegacyWebArchive to fail.
3. However, function LegacyWebArchive::createFromSelection does not check null LegacyWebArchive and continue to add the Ref() of it into a vector.
4. Eventually in LegacyWebArchive::createPropertyListRepresentation() it crashes when we try to pop the Ref() of LegacyWebArchive from the vetor and dereference the pointer of Ref().

Node tree when we are creating LegacyWebArchive:
*#document	0x106fc5ba0 (renderer 0x106fc5210) 
	HTML	0x106fc6800 (renderer 0x106fc56c0) 
		HEAD	0x106fc6890 (renderer 0x0) 
		FRAMESET	0x106fc6d30 (renderer 0x106fc6e40) 
		BODY	0x106fc6920 (renderer 0x106fc57f0) 
			SPAN	0x106fc69b0 (renderer 0x106fc6bd0) 
				#text	0x106fc6de0 "???"
			#text	0x106fc6a40 "\n"
			SCRIPT	0x106fc6aa0 (renderer 0x0) 
				#text	0x106fc6b70 "\n    span.offsetParent.before(document.createElement("frameset"));\n    span.prepend("\\ud800");\n    document.execCommand("selectAll", true);\n    document.execCommand("copy", true);\n"
Comment 2 Jack 2020-05-08 21:06:53 PDT 
Created attachment 398914 [details]
Patch
Comment 3 EWS 2020-05-09 01:07:33 PDT 
Committed r261434: <https://trac.webkit.org/changeset/261434>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 398914 [details].