Bug 218132

Summary: Null dereference in CompositeEditCommand::cloneParagraphUnderNewElement() due to not checking for top of DOM tree
Product: WebKit Reporter: Julian Gonzalez <julian_a_gonzalez>
Component: HTML EditingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, ews-feeder, product-security, rniwa, webkit-bug-importer, wenson_hsieh
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Reduced test case
none
Patch none

Description Julian Gonzalez 2020-10-23 11:51:38 PDT 
e.g.

    #0 0x2d60df731 in WebCore::Node::parentNode() const+0x21
    #1 0x2da279932 in WebCore::CompositeEditCommand::cloneParagraphUnderNewElement(WebCore::Position const&, WebCore::Position const&, WebCore::Node*, WebCore::Element*)+0x882
    #2 0x2da27a567 in WebCore::CompositeEditCommand::moveParagraphWithClones(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, WebCore::Element*, WebCore::Node*)+0x327
    #3 0x2da309ced in WebCore::IndentOutdentCommand::indentIntoBlockquote(WebCore::Position const&, WebCore::Position const&, WTF::RefPtr<WebCore::Element, WTF::DumbPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element> >&)+0x53d
    #4 0x2da30b75c in WebCore::IndentOutdentCommand::formatRange(WebCore::Position const&, WebCore::Position const&, WebCore::Position const&, WTF::RefPtr<WebCore::Element, WTF::DumbPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element> >&)+0x3c
    #5 0x2da256c41 in WebCore::ApplyBlockElementCommand::formatSelection(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&)+0xca1
    #6 0x2da30b706 in WebCore::IndentOutdentCommand::formatSelection(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&)+0x36
    #7 0x2da255a99 in WebCore::ApplyBlockElementCommand::doApply()+0x459
    #8 0x2da2545c6 in WebCore::CompositeEditCommand::apply()+0x216
    #9 0x2da313828 in WebCore::executeIndent(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&)+0xc8
    #10 0x2da2d8d9b in WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const+0xdb
    #11 0x2d9f61aa3 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&)+0xf3
    #12 0x2d7480189 in WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)+0x469
    #13 0x2d732884b in long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)+0xfb
    #14 0x2d7328748 in WebCore::jsDocumentPrototypeFunction_execCommand(JSC::JSGlobalObject*, JSC::CallFrame*)+0x8

<rdar://problem/66894117> Null Ptr Deref @ WebCore::Node::parentNode const+0
Comment 1 Radar WebKit Bug Importer 2020-10-23 11:51:52 PDT 
<rdar://problem/70628729>
Comment 2 Julian Gonzalez 2020-10-23 12:28:42 PDT 
Created attachment 412205 [details]
Patch
Comment 3 Julian Gonzalez 2020-10-26 13:21:06 PDT 
Created attachment 412348 [details]
Patch
Comment 4 Ryosuke Niwa 2020-10-26 20:36:12 PDT 
Created attachment 412383 [details]
Reduced test case
Comment 5 Julian Gonzalez 2020-10-27 15:10:48 PDT 
Thanks for the new test case! I will incorporate it into my patch - it should hopefully eliminate the test failure I see here (which I cannot reproduce locally).
Comment 6 Julian Gonzalez 2020-10-27 15:49:15 PDT 
Created attachment 412471 [details]
Patch
Comment 7 EWS 2020-10-28 22:26:14 PDT 
Committed r269137: <https://trac.webkit.org/changeset/269137>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 412471 [details].
Comment 8 Ryosuke Niwa 2020-10-28 22:33:06 PDT 
There is no security implication here.