Changeset 273302 in webkit

Timestamp:

Feb 23, 2021 4:28:20 AM (3 years ago)

Author:

commit-queue@webkit.org

Message:

Nullptr crash in ModifySelectionListLevelCommand::appendSiblingNodeRange
​https://bugs.webkit.org/show_bug.cgi?id=221650

Patch by Frederic Wang <​fwang@igalia.com> on 2021-02-23
Reviewed by Ryosuke Niwa.

Source/WebCore:

getStartEndListChildren relies on the render tree to move the "end" node to the next sibling,
but this does not necessarily correspond to a sibling of the "start" node in the DOM tree.
This breaks the assumption of ModifySelectionListLevelCommand::appendSiblingNodeRange that
the "start" and "end" nodes are siblings (in that order), causing a null-pointer dereference.
This patch fixes the issue by ensuring that getStartEndListChildren does not try to change
the "end" node if it is not a sibling of the "start" one.

Test: fast/editing/modify-selection-list-level-crash.html

• editing/ModifySelectionListLevel.cpp:

(WebCore::getStartEndListChildren): Don't change the end node if r->node() is a sibling of
startChildList.

LayoutTests:

• fast/editing/modify-selection-list-level-crash-expected.txt: Added.
• fast/editing/modify-selection-list-level-crash.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/editing/modify-selection-list-level-crash-expected.txt (added)
• LayoutTests/fast/editing/modify-selection-list-level-crash.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/editing/ModifySelectionListLevel.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2021-02-23  Frederic Wang  <fwang@igalia.com>
+
+        Nullptr crash in ModifySelectionListLevelCommand::appendSiblingNodeRange
+        https://bugs.webkit.org/show_bug.cgi?id=221650
+
+        Reviewed by Ryosuke Niwa.
+
+        * fast/editing/modify-selection-list-level-crash-expected.txt: Added.
+        * fast/editing/modify-selection-list-level-crash.html: Added.
+
 2021-02-23  Kimmo Kinnunen  <kkinnunen@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2021-02-23  Frederic Wang  <fwang@igalia.com>
+
+        Nullptr crash in ModifySelectionListLevelCommand::appendSiblingNodeRange
+        https://bugs.webkit.org/show_bug.cgi?id=221650
+
+        Reviewed by Ryosuke Niwa.
+
+        getStartEndListChildren relies on the render tree to move the "end" node to the next sibling,
+        but this does not necessarily correspond to a sibling of the "start" node in the DOM tree.
+        This breaks the assumption of ModifySelectionListLevelCommand::appendSiblingNodeRange that
+        the "start" and "end" nodes are siblings (in that order), causing a null-pointer dereference.
+        This patch fixes the issue by ensuring that getStartEndListChildren does not try to change
+        the "end" node if it is not a sibling of the "start" one.
+
+        Test: fast/editing/modify-selection-list-level-crash.html
+
+        * editing/ModifySelectionListLevel.cpp:
+        (WebCore::getStartEndListChildren): Don't change the end node if r->node() is a sibling of
+        startChildList.
+
 2021-02-23  Ryosuke Niwa  <rniwa@webkit.org>
 

trunk/Source/WebCore/editing/ModifySelectionListLevel.cpp

@@ -81 +81 @@
     if (endListChild->renderer()->isListItem()) {
         RenderObject* r = endListChild->renderer()->nextSibling();
-        if (r && isListHTMLElement(r->node()))
+        if (r && isListHTMLElement(r->node()) && r->node()->parentNode() == startListChild->parentNode())
             endListChild = r->node();
     }