178189 2017-10-11 15:39:06 -0700 Correct nullptr deref in selection handling 2017-10-11 20:01:22 -0700 1 1 1 Unclassified WebKit HTML Editing WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 bfulgham bfulgham bfulgham cdumez rniwa wenson_hsieh oldest_to_newest 1359418 0 bfulgham 2017-10-11 15:39:06 -0700 The 'Selection::toNormalizedRange()' returns nullptr for various conditions, specifically for a 'None' selection, but also for an "Orphaned" range. We should make sure we check that 'toNormalizedRange' returns a non-null pointer before using it. 1359435 1 bfulgham 2017-10-11 16:12:49 -0700 <rdar://problem/33833012> 1359436 2 323480 bfulgham 2017-10-11 16:13:40 -0700 Created attachment 323480 Patch 1359509 3 323480 rniwa 2017-10-11 19:03:02 -0700 Comment on attachment 323480 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=323480&action=review > Source/WebCore/page/DOMSelection.cpp:397 > + auto visibleSelection = selection.selection(); > + if (visibleSelection.isNoneOrOrphaned()) > + return false; There's no reason to check this condition if we're checking null-ty of toNormalizedRange. Please remove it. 1359522 4 bfulgham 2017-10-11 20:01:22 -0700 Committed r223228: <https://trac.webkit.org/changeset/223228> 323480 2017-10-11 16:13:40 -0700 2017-10-11 19:03:02 -0700 Patch bug-178189-20171011161339.patch text/plain 6431 bfulgham SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDIyMzIxMSkKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDMxIEBACisyMDE3LTEwLTExICBCcmVudCBG dWxnaGFtICA8YmZ1bGdoYW1AYXBwbGUuY29tPgorCisgICAgICAgIENvcnJlY3QgbnVsbHB0ciBk ZXJlZiBpbiBzZWxlY3Rpb24gaGFuZGxpbmcuCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQu b3JnL3Nob3dfYnVnLmNnaT9pZD0xNzgxODkKKyAgICAgICAgPHJkYXI6Ly9wcm9ibGVtLzMzODMz MDEyPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIFRo ZSBWaXNpYmxlU2VsZWN0aW9uOjp0b05vcm1hbGl6ZWRSYW5nZSByZXR1cm5zIG51bGxwdHIgZm9y IGNlcnRhaW4gY29uZGl0aW9ucyAoZS5nLiwgJ2lzTm9uZScKKyAgICAgICAgYW5kICdpc09ycGhh bmVkJyBjYXNlcykuIEl0J3MgcG9zc2libGUgdG8gY3Jhc2ggdGhlIFdlYlByb2Nlc3MgYnkgZXhl Y3V0aW5nIGEgY29kZSBwYXRoIHdpdGgKKyAgICAgICAgYW4gb3JwaGFuZWQgc2VsZWN0aW9uIHJh bmdlLgorCisgICAgICAgIFRoZSByZXR1cm4gdmFsdWUgb2YgJ3RvTm9ybWFsaXplZFJhbmdlJyBp cyBjaGVja2VkIGZvciBudWxscHRyIGluIG1hbnkgcGxhY2VzLCBidXQgbm90IGV2ZXJ5d2hlcmUu CisgICAgICAgIFRoaXMgcGF0Y2ggYWRkcyB0aG9zZSBtaXNzaW5nIG51bGxwdHIgY2hlY2tzLgor CisgICAgICAgICogYWNjZXNzaWJpbGl0eS9pb3MvV2ViQWNjZXNzaWJpbGl0eU9iamVjdFdyYXBw ZXJJT1MubW06CisgICAgICAgICgtW1dlYkFjY2Vzc2liaWxpdHlPYmplY3RXcmFwcGVyIHRleHRN YXJrZXJSYW5nZUZvclNlbGVjdGlvbl0pOgorICAgICAgICAqIGVkaXRpbmcvRGVsZXRlU2VsZWN0 aW9uQ29tbWFuZC5jcHA6CisgICAgICAgIChXZWJDb3JlOjpEZWxldGVTZWxlY3Rpb25Db21tYW5k OjptYWtlU3R5bGluZ0VsZW1lbnRzRGlyZWN0Q2hpbGRyZW5PZkVkaXRhYmxlUm9vdFRvUHJldmVu dFN0eWxlTG9zcyk6CisgICAgICAgICogZWRpdGluZy9FZGl0aW5nU3R5bGUuY3BwOgorICAgICAg ICAoV2ViQ29yZTo6RWRpdGluZ1N0eWxlOjpzdHlsZUF0U2VsZWN0aW9uU3RhcnQpOgorICAgICAg ICAqIGVkaXRpbmcvRWRpdG9yLmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OkVkaXRvcjo6bWlzc3Bl bGxlZFdvcmRBdENhcmV0T3JSYW5nZSBjb25zdCk6CisgICAgICAgICogcGFnZS9ET01TZWxlY3Rp b24uY3BwOgorICAgICAgICAoV2ViQ29yZTo6RE9NU2VsZWN0aW9uOjpjb250YWluc05vZGUgY29u c3QpOgorICAgICAgICAqIHBhZ2UvRHJhZ0NvbnRyb2xsZXIuY3BwOgorICAgICAgICAoV2ViQ29y ZTo6RHJhZ0NvbnRyb2xsZXI6OmNvbmNsdWRlRWRpdERyYWcpOgorCiAyMDE3LTEwLTExICBDaHJp cyBEdW1leiAgPGNkdW1lekBhcHBsZS5jb20+CiAKICAgICAgICAgW0dlb2xvY2F0aW9uXSBFeHBv c2UgQ29vcmRpbmF0ZXMuZmxvb3JMZXZlbApJbmRleDogU291cmNlL1dlYkNvcmUvYWNjZXNzaWJp bGl0eS9pb3MvV2ViQWNjZXNzaWJpbGl0eU9iamVjdFdyYXBwZXJJT1MubW0KPT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQot LS0gU291cmNlL1dlYkNvcmUvYWNjZXNzaWJpbGl0eS9pb3MvV2ViQWNjZXNzaWJpbGl0eU9iamVj dFdyYXBwZXJJT1MubW0JKHJldmlzaW9uIDIyMzIxMCkKKysrIFNvdXJjZS9XZWJDb3JlL2FjY2Vz c2liaWxpdHkvaW9zL1dlYkFjY2Vzc2liaWxpdHlPYmplY3RXcmFwcGVySU9TLm1tCSh3b3JraW5n IGNvcHkpCkBAIC0yNDQ5LDYgKzI0NDksOSBAQCAtIChOU0FycmF5ICopdGV4dE1hcmtlclJhbmdl Rm9yU2VsZWN0aW9uCiAgICAgICAgIHJldHVybiBuaWw7CiAgICAgCiAgICAgUmVmUHRyPFJhbmdl PiByYW5nZSA9IHNlbGVjdGlvbi50b05vcm1hbGl6ZWRSYW5nZSgpOworICAgIGlmICghcmFuZ2Up CisgICAgICAgIHJldHVybiBuaWw7CisKICAgICBDaGFyYWN0ZXJPZmZzZXQgc3RhcnQgPSBjYWNo ZS0+c3RhcnRPckVuZENoYXJhY3Rlck9mZnNldEZvclJhbmdlKHJhbmdlLCB0cnVlKTsKICAgICBD aGFyYWN0ZXJPZmZzZXQgZW5kID0gY2FjaGUtPnN0YXJ0T3JFbmRDaGFyYWN0ZXJPZmZzZXRGb3JS YW5nZShyYW5nZSwgZmFsc2UpOwogCkluZGV4OiBTb3VyY2UvV2ViQ29yZS9lZGl0aW5nL0RlbGV0 ZVNlbGVjdGlvbkNvbW1hbmQuY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9XZWJDb3JlL2VkaXRp bmcvRGVsZXRlU2VsZWN0aW9uQ29tbWFuZC5jcHAJKHJldmlzaW9uIDIyMzIxMCkKKysrIFNvdXJj ZS9XZWJDb3JlL2VkaXRpbmcvRGVsZXRlU2VsZWN0aW9uQ29tbWFuZC5jcHAJKHdvcmtpbmcgY29w eSkKQEAgLTQ2MSw3ICs0NjEsNyBAQCB2b2lkIERlbGV0ZVNlbGVjdGlvbkNvbW1hbmQ6OmRlbGV0 ZVRleHRGCiB2b2lkIERlbGV0ZVNlbGVjdGlvbkNvbW1hbmQ6Om1ha2VTdHlsaW5nRWxlbWVudHNE aXJlY3RDaGlsZHJlbk9mRWRpdGFibGVSb290VG9QcmV2ZW50U3R5bGVMb3NzKCkKIHsKICAgICBS ZWZQdHI8UmFuZ2U+IHJhbmdlID0gbV9zZWxlY3Rpb25Ub0RlbGV0ZS50b05vcm1hbGl6ZWRSYW5n ZSgpOwotICAgIFJlZlB0cjxOb2RlPiBub2RlID0gcmFuZ2UtPmZpcnN0Tm9kZSgpOworICAgIFJl ZlB0cjxOb2RlPiBub2RlID0gcmFuZ2UgPyByYW5nZS0+Zmlyc3ROb2RlKCkgOiBudWxscHRyOwog ICAgIHdoaWxlIChub2RlICYmIG5vZGUgIT0gcmFuZ2UtPnBhc3RMYXN0Tm9kZSgpKSB7CiAgICAg ICAgIFJlZlB0cjxOb2RlPiBuZXh0Tm9kZSA9IE5vZGVUcmF2ZXJzYWw6Om5leHQoKm5vZGUpOwog ICAgICAgICBpZiAoKGlzPEhUTUxTdHlsZUVsZW1lbnQ+KCpub2RlKSAmJiAhZG93bmNhc3Q8SFRN TFN0eWxlRWxlbWVudD4oKm5vZGUpLmhhc0F0dHJpYnV0ZVdpdGhvdXRTeW5jaHJvbml6YXRpb24o c2NvcGVkQXR0cikpIHx8IGlzPEhUTUxMaW5rRWxlbWVudD4oKm5vZGUpKSB7CkluZGV4OiBTb3Vy Y2UvV2ViQ29yZS9lZGl0aW5nL0VkaXRpbmdTdHlsZS5jcHAKPT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNl L1dlYkNvcmUvZWRpdGluZy9FZGl0aW5nU3R5bGUuY3BwCShyZXZpc2lvbiAyMjMyMTApCisrKyBT b3VyY2UvV2ViQ29yZS9lZGl0aW5nL0VkaXRpbmdTdHlsZS5jcHAJKHdvcmtpbmcgY29weSkKQEAg LTE0NDUsOSArMTQ0NSwxMCBAQCBSZWZQdHI8RWRpdGluZ1N0eWxlPiBFZGl0aW5nU3R5bGU6OnN0 eWxlCiAgICAgLy8gQWxzbywgaWYgdGhlIHNlbGVjdGlvbiBpcyBhIHJhbmdlLCBpZ25vcmUgdGhl IGJhY2tncm91bmQgY29sb3IgYXQgdGhlIHN0YXJ0IG9mIHNlbGVjdGlvbiwKICAgICAvLyBhbmQg ZmluZCB0aGUgYmFja2dyb3VuZCBjb2xvciBvZiB0aGUgY29tbW9uIGFuY2VzdG9yLgogICAgIGlm IChzaG91bGRVc2VCYWNrZ3JvdW5kQ29sb3JJbkVmZmVjdCAmJiAoc2VsZWN0aW9uLmlzUmFuZ2Uo KSB8fCBoYXNUcmFuc3BhcmVudEJhY2tncm91bmRDb2xvcihzdHlsZS0+bV9tdXRhYmxlU3R5bGUu Z2V0KCkpKSkgewotICAgICAgICBSZWZQdHI8UmFuZ2U+IHJhbmdlKHNlbGVjdGlvbi50b05vcm1h bGl6ZWRSYW5nZSgpKTsKLSAgICAgICAgaWYgKGF1dG8gdmFsdWUgPSBiYWNrZ3JvdW5kQ29sb3JJ bkVmZmVjdChyYW5nZS0+Y29tbW9uQW5jZXN0b3JDb250YWluZXIoKSkpCi0gICAgICAgICAgICBz dHlsZS0+c2V0UHJvcGVydHkoQ1NTUHJvcGVydHlCYWNrZ3JvdW5kQ29sb3IsIHZhbHVlLT5jc3NU ZXh0KCkpOworICAgICAgICBpZiAoYXV0byByYW5nZSA9IHNlbGVjdGlvbi50b05vcm1hbGl6ZWRS YW5nZSgpKSB7CisgICAgICAgICAgICBpZiAoYXV0byB2YWx1ZSA9IGJhY2tncm91bmRDb2xvcklu RWZmZWN0KHJhbmdlLT5jb21tb25BbmNlc3RvckNvbnRhaW5lcigpKSkKKyAgICAgICAgICAgICAg ICBzdHlsZS0+c2V0UHJvcGVydHkoQ1NTUHJvcGVydHlCYWNrZ3JvdW5kQ29sb3IsIHZhbHVlLT5j c3NUZXh0KCkpOworICAgICAgICB9CiAgICAgfQogCiAgICAgcmV0dXJuIFdURk1vdmUoc3R5bGUp OwpJbmRleDogU291cmNlL1dlYkNvcmUvZWRpdGluZy9FZGl0b3IuY3BwCj09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0t IFNvdXJjZS9XZWJDb3JlL2VkaXRpbmcvRWRpdG9yLmNwcAkocmV2aXNpb24gMjIzMjEwKQorKysg U291cmNlL1dlYkNvcmUvZWRpdGluZy9FZGl0b3IuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC0yMTgw LDYgKzIxODAsOCBAQCBTdHJpbmcgRWRpdG9yOjptaXNzcGVsbGVkV29yZEF0Q2FyZXRPclJhCiAg ICAgVmlzaWJsZVNlbGVjdGlvbiB3b3JkU2VsZWN0aW9uKHNlbGVjdGlvbi5iYXNlKCkpOwogICAg IHdvcmRTZWxlY3Rpb24uZXhwYW5kVXNpbmdHcmFudWxhcml0eShXb3JkR3JhbnVsYXJpdHkpOwog ICAgIFJlZlB0cjxSYW5nZT4gd29yZFJhbmdlID0gd29yZFNlbGVjdGlvbi50b05vcm1hbGl6ZWRS YW5nZSgpOworICAgIGlmICghd29yZFJhbmdlKQorICAgICAgICByZXR1cm4gU3RyaW5nKCk7CiAK ICAgICAvLyBJbiBjb21wbGlhbmNlIHdpdGggR1RLKyBhcHBsaWNhdGlvbnMsIGFkZGl0aW9uYWxs eSBhbGxvdyB0byBwcm92aWRlIHN1Z2dlc3Rpb25zIHdoZW4gdGhlIGN1cnJlbnQKICAgICAvLyBz ZWxlY3Rpb24gZXhhY3RseSBtYXRjaCB0aGUgd29yZCBzZWxlY3Rpb24uCkluZGV4OiBTb3VyY2Uv V2ViQ29yZS9wYWdlL0RPTVNlbGVjdGlvbi5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL1dlYkNv cmUvcGFnZS9ET01TZWxlY3Rpb24uY3BwCShyZXZpc2lvbiAyMjMyMTApCisrKyBTb3VyY2UvV2Vi Q29yZS9wYWdlL0RPTVNlbGVjdGlvbi5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTM5Miw3ICszOTIs MTMgQEAgYm9vbCBET01TZWxlY3Rpb246OmNvbnRhaW5zTm9kZShOb2RlJiBubwogICAgICAgICBy ZXR1cm4gZmFsc2U7CiAKICAgICBSZWY8Tm9kZT4gcHJvdGVjdGVkTm9kZShub2RlKTsKLSAgICBh dXRvIHNlbGVjdGVkUmFuZ2UgPSBzZWxlY3Rpb24uc2VsZWN0aW9uKCkudG9Ob3JtYWxpemVkUmFu Z2UoKTsKKyAgICBhdXRvIHZpc2libGVTZWxlY3Rpb24gPSBzZWxlY3Rpb24uc2VsZWN0aW9uKCk7 CisgICAgaWYgKHZpc2libGVTZWxlY3Rpb24uaXNOb25lT3JPcnBoYW5lZCgpKQorICAgICAgICBy ZXR1cm4gZmFsc2U7CisKKyAgICBhdXRvIHNlbGVjdGVkUmFuZ2UgPSB2aXNpYmxlU2VsZWN0aW9u LnRvTm9ybWFsaXplZFJhbmdlKCk7CisgICAgaWYgKCFzZWxlY3RlZFJhbmdlKQorICAgICAgICBy ZXR1cm4gZmFsc2U7CiAKICAgICBDb250YWluZXJOb2RlKiBwYXJlbnROb2RlID0gbm9kZS5wYXJl bnROb2RlKCk7CiAgICAgaWYgKCFwYXJlbnROb2RlIHx8ICFwYXJlbnROb2RlLT5pc0Nvbm5lY3Rl ZCgpKQpJbmRleDogU291cmNlL1dlYkNvcmUvcGFnZS9EcmFnQ29udHJvbGxlci5jcHAKPT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PQotLS0gU291cmNlL1dlYkNvcmUvcGFnZS9EcmFnQ29udHJvbGxlci5jcHAJKHJldmlzaW9u IDIyMzIxMCkKKysrIFNvdXJjZS9XZWJDb3JlL3BhZ2UvRHJhZ0NvbnRyb2xsZXIuY3BwCSh3b3Jr aW5nIGNvcHkpCkBAIC01MzYsNiArNTM2LDggQEAgYm9vbCBEcmFnQ29udHJvbGxlcjo6Y29uY2x1 ZGVFZGl0RHJhZyhjbwogICAgICAgICBpZiAoIWNvbG9yLmlzVmFsaWQoKSkKICAgICAgICAgICAg IHJldHVybiBmYWxzZTsKICAgICAgICAgUmVmUHRyPFJhbmdlPiBpbm5lclJhbmdlID0gaW5uZXJG cmFtZS0+c2VsZWN0aW9uKCkudG9Ob3JtYWxpemVkUmFuZ2UoKTsKKyAgICAgICAgaWYgKCFpbm5l clJhbmdlKQorICAgICAgICAgICAgcmV0dXJuIGZhbHNlOwogICAgICAgICBSZWZQdHI8TXV0YWJs ZVN0eWxlUHJvcGVydGllcz4gc3R5bGUgPSBNdXRhYmxlU3R5bGVQcm9wZXJ0aWVzOjpjcmVhdGUo KTsKICAgICAgICAgc3R5bGUtPnNldFByb3BlcnR5KENTU1Byb3BlcnR5Q29sb3IsIGNvbG9yLnNl cmlhbGl6ZWQoKSwgZmFsc2UpOwogICAgICAgICBpZiAoIWlubmVyRnJhbWUtPmVkaXRvcigpLnNo b3VsZEFwcGx5U3R5bGUoc3R5bGUuZ2V0KCksIGlubmVyUmFuZ2UuZ2V0KCkpKQo=