Hi Team, Just going through Blink, I came across another Heap-use-after-free bug, which is not fixed while it was fixed in Chrome / Blink. I don't know whether it is applicable for WebKit or not or we have other fixes, which render it useless but I just wanted to raise it behind curtain to get input. I have already messaged rniwa on Slack to get his input. Blink Commit - https://src.chromium.org/viewvc/blink?view=revision&revision=188788 WebKit Source - https://github.com/WebKit/WebKit/blob/8174a9300cd8edff3c4fc20f5c8d62cd4fa927a9/Source/WebCore/editing/VisibleSelection.cpp#L687 Just wanted to raise it so WebKit can be more awesome. Thanks!
<rdar://problem/103683388>
We've mitigated this in some other way.
Even though we don't have a security bug here. The Blink test case still hits an assertion in our code in debug and our selection behavior differs from Chrome and Firefox. We probably still want to cherry-pick the fix.
Pull request: https://github.com/WebKit/WebKit/pull/16274
Committed 266505@main (786e20b52145): <https://commits.webkit.org/266505@main> Reviewed commits have been landed. Closing PR #16274 and removing active labels.