Bug 248698

Summary: ASSERTION FAILED: positionOffset <= node->length()
Product: WebKit Reporter: Ahmad Saleem <ahmad.saleem792>
Component: HTML EditingAssignee: Ryosuke Niwa <rniwa>
Status: NEW ---    
Severity: Normal CC: bfulgham, rniwa, webkit-bug-importer, wenson_hsieh
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Test case none

Description Ahmad Saleem 2022-12-02 17:25:27 PST 
Hi Team,

I am not sure whether we have any security implication because of this or not but in Blink, it was deemed as security and had even reward associated with it.

So I am raising it as Security as well here, if it is not an issue, please ignore:

Blink Commit - https://src.chromium.org/viewvc/blink?view=revision&revision=189274

Webkit GitHub Source - https://github.com/WebKit/WebKit/blob/6d72ef261e4ac4407332fa74197a5c58a554904c/Source/WebCore/editing/FrameSelection.cpp#L677

Chrome Bug - https://bugs.chromium.org/p/chromium/issues/detail?id=383777

Appreciate if someone can have a look and if needed then do due process to fix this.

Thanks!
Comment 1 Radar WebKit Bug Importer 2022-12-02 17:25:39 PST 
<rdar://problem/102924216>
Comment 2 Ryosuke Niwa 2022-12-06 23:02:36 PST 
I'm pretty sure this isn't a real security bug as noted in this comment:
https://bugs.chromium.org/p/chromium/issues/detail?id=383777#c67
Comment 3 Ryosuke Niwa 2022-12-06 23:04:17 PST 
Created attachment 463914 [details]
Test case
Comment 4 Ryosuke Niwa 2022-12-06 23:05:27 PST 
Hm... we're hitting this assertion in TextIterator.cpp:
ASSERT(targetLocation - location <= downcast<Text>(textRunRange.start.container.get()).length());

So this could be arbitrary read gadget.
Comment 5 Ryosuke Niwa 2022-12-06 23:39:34 PST 
No ASAN failures, however.
Comment 6 Ryosuke Niwa 2022-12-07 00:40:12 PST 
I'm pretty sure this is just an assertion failure.
Comment 7 Ryosuke Niwa 2022-12-07 00:50:03 PST 
Pull request: https://github.com/WebKit/WebKit/pull/7251