Hi Team, I am not sure whether we have any security implication because of this or not but in Blink, it was deemed as security and had even reward associated with it. So I am raising it as Security as well here, if it is not an issue, please ignore: Blink Commit - https://src.chromium.org/viewvc/blink?view=revision&revision=189274 Webkit GitHub Source - https://github.com/WebKit/WebKit/blob/6d72ef261e4ac4407332fa74197a5c58a554904c/Source/WebCore/editing/FrameSelection.cpp#L677 Chrome Bug - https://bugs.chromium.org/p/chromium/issues/detail?id=383777 Appreciate if someone can have a look and if needed then do due process to fix this. Thanks!
<rdar://problem/102924216>
I'm pretty sure this isn't a real security bug as noted in this comment: https://bugs.chromium.org/p/chromium/issues/detail?id=383777#c67
Created attachment 463914 [details] Test case
Hm... we're hitting this assertion in TextIterator.cpp: ASSERT(targetLocation - location <= downcast<Text>(textRunRange.start.container.get()).length()); So this could be arbitrary read gadget.
No ASAN failures, however.
I'm pretty sure this is just an assertion failure.
Pull request: https://github.com/WebKit/WebKit/pull/7251