Changeset 288308 in webkit

Timestamp:

Jan 20, 2022 11:08:25 AM (2 years ago)

Author:

Adrian Perez de Castro

Message:

Merge r288052 - null ptr deref in WebCore::ReplaceSelectionCommand::moveNodeOutOfAncestor()
​https://bugs.webkit.org/show_bug.cgi?id=233463

Patch by Frederic Wang <​fwang@igalia.com> on 2022-01-14
Reviewed by Wenson Hsieh.

Source/WebCore:

One line of ReplaceSelectionCommand::moveNodeOutOfAncestor() assumes that the pointer
ancestor.parentNode() is non-null. However, the call to removeNode(node) just before can
lead to arbitrary tree mutations that leaves the ancestor orphan, causing a nullptr deref.
This patch mitigates that issue by exiting early if that situation happens.

• editing/ReplaceSelectionCommand.cpp:

(WebCore::ReplaceSelectionCommand::moveNodeOutOfAncestor): Exit early if the ancestor
is no longer connected.

LayoutTests:

Add non-regression test.

• editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash-expected.txt: Added.
• editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash.html: Added.
• editing/execCommand/resources/paste-as-quotation-disconnected-paragraph-ancestor-crash-iframe.html: Added.
• platform/win/TestExpectations: Skip test on windows, as the test seems to shift expectations with text output

of other execCommand tests.

Location:

releases/WebKitGTK/webkit-2.34

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash-expected.txt (added)
• LayoutTests/editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash.html (added)
• LayoutTests/editing/execCommand/resources/paste-as-quotation-disconnected-paragraph-ancestor-crash-iframe.html (added)
• LayoutTests/platform/win/TestExpectations (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/editing/ReplaceSelectionCommand.cpp (modified) (1 diff)

releases/WebKitGTK/webkit-2.34/LayoutTests/ChangeLog

@@ +1 @@
+2022-01-14  Frederic Wang  <fwang@igalia.com>
+
+        null ptr deref in WebCore::ReplaceSelectionCommand::moveNodeOutOfAncestor()
+        https://bugs.webkit.org/show_bug.cgi?id=233463
+
+        Reviewed by Wenson Hsieh.
+
+        Add non-regression test.
+
+        * editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash-expected.txt: Added.
+        * editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash.html: Added.
+        * editing/execCommand/resources/paste-as-quotation-disconnected-paragraph-ancestor-crash-iframe.html: Added.
+        * platform/win/TestExpectations: Skip test on windows, as the test seems to shift expectations with text output
+        of other execCommand tests.
+
 2022-01-10  Alan Bujtas  <zalan@apple.com>
 

releases/WebKitGTK/webkit-2.34/LayoutTests/platform/win/TestExpectations

@@ -316 +316 @@
 fast/overflow/scrollbar-restored-and-then-locked.html [ Skip ]
 
+editing/execCommand/paste-as-quotation-disconnected-paragraph-ancestor-crash.html [ Skip ]
 storage/indexeddb/clone-exception.html [ Timeout ]
 storage/indexeddb/database-odd-names.html [ Timeout Failure ]

releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog

@@ +1 @@
+2022-01-14  Frederic Wang  <fwang@igalia.com>
+
+        null ptr deref in WebCore::ReplaceSelectionCommand::moveNodeOutOfAncestor()
+        https://bugs.webkit.org/show_bug.cgi?id=233463
+
+        Reviewed by Wenson Hsieh.
+
+        One line of ReplaceSelectionCommand::moveNodeOutOfAncestor() assumes that the pointer
+        ancestor.parentNode() is non-null. However, the call to removeNode(node) just before can
+        lead to arbitrary tree mutations that leaves the ancestor orphan, causing a nullptr deref.
+        This patch mitigates that issue by exiting early if that situation happens.
+
+        * editing/ReplaceSelectionCommand.cpp:
+        (WebCore::ReplaceSelectionCommand::moveNodeOutOfAncestor): Exit early if the ancestor
+        is no longer connected.
+
 2022-01-10  Alan Bujtas  <zalan@apple.com>
 

releases/WebKitGTK/webkit-2.34/Source/WebCore/editing/ReplaceSelectionCommand.cpp

@@ -831 +831 @@
     if (positionAtEndOfNode == lastPositionInParagraph) {
         removeNode(node);
+        if (!ancestor.isConnected())
+            return;
         if (ancestor.nextSibling())
             insertNodeBefore(WTFMove(protectedNode), *ancestor.nextSibling());