Bug 218132 - Null dereference in CompositeEditCommand::cloneParagraphUnderNewElement() due to not checking for top of DOM tree
Summary: Null dereference in CompositeEditCommand::cloneParagraphUnderNewElement() due...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML Editing (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-10-23 11:51 PDT by Julian Gonzalez
Modified: 2020-10-28 22:33 PDT (History)
6 users (show)

See Also:

Attachments
Patch (2.50 KB, patch)
2020-10-23 12:28 PDT, Julian Gonzalez 		no flags Details | Formatted Diff | Diff
Patch (6.07 KB, patch)
2020-10-26 13:21 PDT, Julian Gonzalez 		no flags Details | Formatted Diff | Diff
Reduced test case (598 bytes, text/html)
2020-10-26 20:36 PDT, Ryosuke Niwa 		no flags Details
Patch (4.89 KB, patch)
2020-10-27 15:49 PDT, Julian Gonzalez 		no flags Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Julian Gonzalez 2020-10-23 11:51:38 PDT 
e.g.

    #0 0x2d60df731 in WebCore::Node::parentNode() const+0x21
    #1 0x2da279932 in WebCore::CompositeEditCommand::cloneParagraphUnderNewElement(WebCore::Position const&, WebCore::Position const&, WebCore::Node*, WebCore::Element*)+0x882
    #2 0x2da27a567 in WebCore::CompositeEditCommand::moveParagraphWithClones(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, WebCore::Element*, WebCore::Node*)+0x327
    #3 0x2da309ced in WebCore::IndentOutdentCommand::indentIntoBlockquote(WebCore::Position const&, WebCore::Position const&, WTF::RefPtr<WebCore::Element, WTF::DumbPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element> >&)+0x53d
    #4 0x2da30b75c in WebCore::IndentOutdentCommand::formatRange(WebCore::Position const&, WebCore::Position const&, WebCore::Position const&, WTF::RefPtr<WebCore::Element, WTF::DumbPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element> >&)+0x3c
    #5 0x2da256c41 in WebCore::ApplyBlockElementCommand::formatSelection(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&)+0xca1
    #6 0x2da30b706 in WebCore::IndentOutdentCommand::formatSelection(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&)+0x36
    #7 0x2da255a99 in WebCore::ApplyBlockElementCommand::doApply()+0x459
    #8 0x2da2545c6 in WebCore::CompositeEditCommand::apply()+0x216
    #9 0x2da313828 in WebCore::executeIndent(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&)+0xc8
    #10 0x2da2d8d9b in WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const+0xdb
    #11 0x2d9f61aa3 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&)+0xf3
    #12 0x2d7480189 in WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)+0x469
    #13 0x2d732884b in long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)+0xfb
    #14 0x2d7328748 in WebCore::jsDocumentPrototypeFunction_execCommand(JSC::JSGlobalObject*, JSC::CallFrame*)+0x8

<rdar://problem/66894117> Null Ptr Deref @ WebCore::Node::parentNode const+0
Comment 1 Radar WebKit Bug Importer 2020-10-23 11:51:52 PDT 
<rdar://problem/70628729>
Comment 2 Julian Gonzalez 2020-10-23 12:28:42 PDT 
Created attachment 412205 [details]
Patch
Comment 3 Julian Gonzalez 2020-10-26 13:21:06 PDT 
Created attachment 412348 [details]
Patch
Comment 4 Ryosuke Niwa 2020-10-26 20:36:12 PDT 
Created attachment 412383 [details]
Reduced test case
Comment 5 Julian Gonzalez 2020-10-27 15:10:48 PDT 
Thanks for the new test case! I will incorporate it into my patch - it should hopefully eliminate the test failure I see here (which I cannot reproduce locally).
Comment 6 Julian Gonzalez 2020-10-27 15:49:15 PDT 
Created attachment 412471 [details]
Patch
Comment 7 EWS 2020-10-28 22:26:14 PDT 
Committed r269137: <https://trac.webkit.org/changeset/269137>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 412471 [details].
Comment 8 Ryosuke Niwa 2020-10-28 22:33:06 PDT 
There is no security implication here.