Bug 249862

Summary: VisibleSelection::nonBoundaryShadowTreeRootNode should return null when its anchor is a shadow root
Product: WebKit Reporter: Ahmad Saleem <ahmad.saleem792>
Component: DOMAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cdumez, rniwa, webkit-bug-importer, wenson_hsieh
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description Ahmad Saleem 2022-12-24 02:50:09 PST 
Hi Team,

Just going through Blink, I came across another Heap-use-after-free bug, which is not fixed while it was fixed in Chrome / Blink.

I don't know whether it is applicable for WebKit or not or we have other fixes, which render it useless but I just wanted to raise it behind curtain to get input. I have already messaged rniwa on Slack to get his input.

Blink Commit - https://src.chromium.org/viewvc/blink?view=revision&revision=188788

WebKit Source - https://github.com/WebKit/WebKit/blob/8174a9300cd8edff3c4fc20f5c8d62cd4fa927a9/Source/WebCore/editing/VisibleSelection.cpp#L687

Just wanted to raise it so WebKit can be more awesome.

Thanks!
Comment 1 Radar WebKit Bug Importer 2022-12-24 02:50:20 PST 
<rdar://problem/103683388>
Comment 2 Ryosuke Niwa 2023-01-05 01:57:43 PST 
We've mitigated this in some other way.
Comment 3 Chris Dumez 2023-08-01 09:42:04 PDT 
Even though we don't have a security bug here. The Blink test case still hits an assertion in our code in debug and our selection behavior differs from Chrome and Firefox. We probably still want to cherry-pick the fix.
Comment 4 Chris Dumez 2023-08-01 09:47:25 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/16274
Comment 5 EWS 2023-08-01 21:21:17 PDT 
Committed 266505@main (786e20b52145): <https://commits.webkit.org/266505@main>

Reviewed commits have been landed. Closing PR #16274 and removing active labels.