211658 2020-05-08 20:25:00 -0700 Nullptr crash in LegacyWebArchive::createPropertyListRepresentation when copying selected range that contains surrogate characters 2020-05-13 17:15:09 -0700 1 1 1 Unclassified WebKit HTML Editing WebKit Nightly Build All All RESOLVED FIXED InRadar P2 Normal --- 1 shihchieh_lee webkit-unassigned bfulgham ews-feeder ggaren product-security rniwa webkit-bug-importer wenson_hsieh oldest_to_newest 1650868 0 shihchieh_lee 2020-05-08 20:25:00 -0700 <rdar://62844424> 0 com.apple.WebCore 0x000000010b25c4ef WebCore::LegacyWebArchive::createPropertyListRepresentation(WebCore::Archive&) + 47 1 com.apple.WebCore 0x000000010b25c631 WebCore::LegacyWebArchive::createPropertyListRepresentation(WebCore::Archive&) + 369 2 com.apple.WebCore 0x0000000109c444db WebCore::LegacyWebArchive::rawDataRepresentation() + 27 3 com.apple.WebCore 0x000000010a146af9 WebCore::Editor::selectionInWebArchiveFormat() + 57 4 com.apple.WebCore 0x000000010a1460eb WebCore::Editor::writeSelectionToPasteboard(WebCore::Pasteboard&) + 299 5 com.apple.WebCore 0x000000010ae8ca37 WebCore::Editor::performCutOrCopy(WebCore::Editor::EditorActionSpecifier) + 535 6 com.apple.WebCore 0x000000010aeb3287 WebCore::executeCopy(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) + 23 7 com.apple.WebCore 0x0000000109c327b1 WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) + 81 8 com.apple.WebCore 0x000000010a02a23a WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::JSGlobalObject*, JSC::CallFrame*) + 426 1650869 1 shihchieh_lee 2020-05-08 20:25:37 -0700 <body><span id=span></span> <script> span.offsetParent.before(document.createElement("frameset")); span.prepend("\ud800"); document.execCommand("selectAll", true); document.execCommand("copy", true); </script> 1. In this test case we are processing copy command and try to create LegacyWebArchive to describe the selected elements. 2. One element in the selection contains surrogate pairs so function convertUTF16ToUTF8() fails which makes creation of LegacyWebArchive to fail. 3. However, function LegacyWebArchive::createFromSelection does not check null LegacyWebArchive and continue to add the Ref() of it into a vector. 4. Eventually in LegacyWebArchive::createPropertyListRepresentation() it crashes when we try to pop the Ref() of LegacyWebArchive from the vetor and dereference the pointer of Ref(). Node tree when we are creating LegacyWebArchive: *#document 0x106fc5ba0 (renderer 0x106fc5210) HTML 0x106fc6800 (renderer 0x106fc56c0) HEAD 0x106fc6890 (renderer 0x0) FRAMESET 0x106fc6d30 (renderer 0x106fc6e40) BODY 0x106fc6920 (renderer 0x106fc57f0) SPAN 0x106fc69b0 (renderer 0x106fc6bd0) #text 0x106fc6de0 "???" #text 0x106fc6a40 "\n" SCRIPT 0x106fc6aa0 (renderer 0x0) #text 0x106fc6b70 "\n span.offsetParent.before(document.createElement("frameset"));\n span.prepend("\\ud800");\n document.execCommand("selectAll", true);\n document.execCommand("copy", true);\n" 1650873 2 398914 shihchieh_lee 2020-05-08 21:06:53 -0700 Created attachment 398914 Patch 1650900 3 ews-feeder 2020-05-09 01:07:33 -0700 Committed r261434: <https://trac.webkit.org/changeset/261434> All reviewed patches have been landed. Closing bug and clearing flags on attachment 398914. 398914 2020-05-08 21:06:53 -0700 2020-05-09 01:07:33 -0700 Patch bug-211658-20200508210652.patch text/plain 3983 shihchieh_lee U3VidmVyc2lvbiBSZXZpc2lvbjogMjYxMjYyCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggZTQyZmQ0ZmFkYTAxYTkw ZmRhMWE0OWFjMmUyOTE1ZDJlYmU1ZjM0NC4uNWQxMTJiZWU5OGRiMzIwMzVhNDkxNTI3ODgyMTli MGNmOGM0MTk0ZiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE4IEBACisyMDIwLTA1LTA4ICBKYWNr IExlZSAgPHNoaWhjaGllaF9sZWVAYXBwbGUuY29tPgorCisgICAgICAgIE51bGxwdHIgY3Jhc2gg aW4gTGVnYWN5V2ViQXJjaGl2ZTo6Y3JlYXRlUHJvcGVydHlMaXN0UmVwcmVzZW50YXRpb24gd2hl biBjb3B5aW5nIHNlbGVjdGVkIHJhbmdlIHRoYXQgY29udGFpbnMgc3Vycm9nYXRlIGNoYXJhY3Rl cnMKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTIxMTY1 OAorICAgICAgICA8cmRhcjovL3Byb2JsZW0vNjI4NDQ0MjQ+CisKKyAgICAgICAgUmV2aWV3ZWQg YnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgQWRkZWQgY2hlY2sgZm9yIG51bGwgTGVnYWN5 V2ViQXJjaGl2ZSBpbiBMZWdhY3lXZWJBcmNoaXZlOjpjcmVhdGVGcm9tU2VsZWN0aW9uLiBSZXR1 cm4gbnVsbHB0ciB3aGVuIGNyZWF0aW9uIGZhaWxzLgorCisgICAgICAgIFRlc3Q6IHdlYmFyY2hp dmUvY29weS1zdXJyb2dhdGUtY2hhci1jcmFzaC5odG1sCisKKyAgICAgICAgKiBsb2FkZXIvYXJj aGl2ZS9jZi9MZWdhY3lXZWJBcmNoaXZlLmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OkxlZ2FjeVdl YkFyY2hpdmU6OmNyZWF0ZUZyb21TZWxlY3Rpb24pOgorCiAyMDIwLTA1LTA2ICBaYWxhbiBCdWp0 YXMgIDx6YWxhbkBhcHBsZS5jb20+CiAKICAgICAgICAgW0NvbnRlbnRPYnNlcnZhdGlvbl0gU2h1 dHRlcnN0b2NrIHNlYXJjaCBiYXIgaXMgbm90IGFjdGl2YXRlZCBvbiB0aGUgZmlyc3QgdGFwCmRp ZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9sb2FkZXIvYXJjaGl2ZS9jZi9MZWdhY3lXZWJBcmNo aXZlLmNwcCBiL1NvdXJjZS9XZWJDb3JlL2xvYWRlci9hcmNoaXZlL2NmL0xlZ2FjeVdlYkFyY2hp dmUuY3BwCmluZGV4IDZhYzUzZDM5N2U0YzFlNzIzNTkwZWMyNTAxMDJjYTRmNjY1Yjg5MGEuLjky Y2Y2YmM1NTg0MmY1NDEyMDkwMjk1ZGQzMDI0ZjIwY2Q1YThhZDEgMTAwNjQ0Ci0tLSBhL1NvdXJj ZS9XZWJDb3JlL2xvYWRlci9hcmNoaXZlL2NmL0xlZ2FjeVdlYkFyY2hpdmUuY3BwCisrKyBiL1Nv dXJjZS9XZWJDb3JlL2xvYWRlci9hcmNoaXZlL2NmL0xlZ2FjeVdlYkFyY2hpdmUuY3BwCkBAIC02 MDUsNyArNjA1LDkgQEAgUmVmUHRyPExlZ2FjeVdlYkFyY2hpdmU+IExlZ2FjeVdlYkFyY2hpdmU6 OmNyZWF0ZUZyb21TZWxlY3Rpb24oRnJhbWUqIGZyYW1lKQogICAgIGJ1aWxkZXIuYXBwZW5kKHNl cmlhbGl6ZVByZXNlcnZpbmdWaXN1YWxBcHBlYXJhbmNlKGZyYW1lLT5zZWxlY3Rpb24oKS5zZWxl Y3Rpb24oKSwgUmVzb2x2ZVVSTHM6Ok5vLCBzZXJpYWxpemVDb21wb3NlZFRyZWUsICZub2RlTGlz dCkpOwogCiAgICAgYXV0byBhcmNoaXZlID0gY3JlYXRlKGJ1aWxkZXIudG9TdHJpbmcoKSwgKmZy YW1lLCBub2RlTGlzdCwgbnVsbHB0cik7Ci0gICAgCisgICAgaWYgKCFhcmNoaXZlKQorICAgICAg ICByZXR1cm4gbnVsbHB0cjsKKwogICAgIGlmICghZG9jdW1lbnQtPmlzRnJhbWVTZXQoKSkKICAg ICAgICAgcmV0dXJuIGFyY2hpdmU7CiAgICAgICAgIApkaWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMv Q2hhbmdlTG9nIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCmluZGV4IDM5M2MzZGNjNzM3NGY1YjQ0 ZTMwODkwZTFhODI3ZmQ0Y2Q0YzgyMGQuLmUwYzEzYWY5YWYzZDQ1M2RkMzJiMDRkZGRmNmRkNDQ5 Y2Q1NjYwMDMgMTAwNjQ0Ci0tLSBhL0xheW91dFRlc3RzL0NoYW5nZUxvZworKysgYi9MYXlvdXRU ZXN0cy9DaGFuZ2VMb2cKQEAgLTEsMyArMSwxNiBAQAorMjAyMC0wNS0wOCAgSmFjayBMZWUgIDxz aGloY2hpZWhfbGVlQGFwcGxlLmNvbT4KKworICAgICAgICBOdWxscHRyIGNyYXNoIGluIExlZ2Fj eVdlYkFyY2hpdmU6OmNyZWF0ZVByb3BlcnR5TGlzdFJlcHJlc2VudGF0aW9uIHdoZW4gY29weWlu ZyBzZWxlY3RlZCByYW5nZSB0aGF0IGNvbnRhaW5zIHN1cnJvZ2F0ZSBjaGFyYWN0ZXJzCisgICAg ICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yMTE2NTgKKyAgICAg ICAgPHJkYXI6Ly9wcm9ibGVtLzYyODQ0NDI0PgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9E WSAoT09QUyEpLgorCisgICAgICAgIEFkZGVkIGEgcmVncmVzc2lvbiB0ZXN0IGZvciB0aGUgY3Jh c2guCisKKyAgICAgICAgKiB3ZWJhcmNoaXZlL2NvcHktc3Vycm9nYXRlLWNoYXItY3Jhc2gtZXhw ZWN0ZWQudHh0OiBBZGRlZC4KKyAgICAgICAgKiB3ZWJhcmNoaXZlL2NvcHktc3Vycm9nYXRlLWNo YXItY3Jhc2guaHRtbDogQWRkZWQuCisKIDIwMjAtMDUtMDYgIEphY2sgTGVlICA8c2hpaGNoaWVo X2xlZUBhcHBsZS5jb20+CiAKICAgICAgICAgTnVsbHB0ciBjcmFzaCBpbiBpbmRlbnRPdXRkZW50 Q29tbWFuZDo6Zm9ybWF0UmFuZ2Ugd2l0aCBhc3luY2hyb25vdXMgY29tbWFuZHM6IGluZGVudCBh bmQgaW5zZXJ0IGxpc3QuCmRpZmYgLS1naXQgYS9MYXlvdXRUZXN0cy93ZWJhcmNoaXZlL2NvcHkt c3Vycm9nYXRlLWNoYXItY3Jhc2gtZXhwZWN0ZWQudHh0IGIvTGF5b3V0VGVzdHMvd2ViYXJjaGl2 ZS9jb3B5LXN1cnJvZ2F0ZS1jaGFyLWNyYXNoLWV4cGVjdGVkLnR4dApuZXcgZmlsZSBtb2RlIDEw MDY0NAppbmRleCAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwLi4yYzUy MDE0MGE5OTViMGRjMmFjODcwMWRjZWVkYTQ4ODZmNDU4ZThlCi0tLSAvZGV2L251bGwKKysrIGIv TGF5b3V0VGVzdHMvd2ViYXJjaGl2ZS9jb3B5LXN1cnJvZ2F0ZS1jaGFyLWNyYXNoLWV4cGVjdGVk LnR4dApAQCAtMCwwICsxIEBACisiVGVzdHMgY29weWluZyBzZWxlY3RlZCByYW5nZSB0aGF0IGNv bnRhaW5zIHN1cnJvZ2F0ZSBjaGFyYWN0ZXJzLiBUaGUgdGVzdCBwYXNzZXMgaWYgV2ViS2l0IGRv ZXNuJ3QgY3Jhc2ggb3IgaGl0IGFuIHNzZXJ0aW9uLiIKZGlmZiAtLWdpdCBhL0xheW91dFRlc3Rz L3dlYmFyY2hpdmUvY29weS1zdXJyb2dhdGUtY2hhci1jcmFzaC5odG1sIGIvTGF5b3V0VGVzdHMv d2ViYXJjaGl2ZS9jb3B5LXN1cnJvZ2F0ZS1jaGFyLWNyYXNoLmh0bWwKbmV3IGZpbGUgbW9kZSAx MDA2NDQKaW5kZXggMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMC4uMWM4 YWY5YTc1MTYxNzdjOGQ3ZDk3ZmIyODA2MmUwODVhNDUyYzcwMwotLS0gL2Rldi9udWxsCisrKyBi L0xheW91dFRlc3RzL3dlYmFyY2hpdmUvY29weS1zdXJyb2dhdGUtY2hhci1jcmFzaC5odG1sCkBA IC0wLDAgKzEsMTEgQEAKKzxib2R5PjxzcGFuIGlkPXNwYW4+PC9zcGFuPjxzcGFuPiJUZXN0cyBj b3B5aW5nIHNlbGVjdGVkIHJhbmdlIHRoYXQgY29udGFpbnMgc3Vycm9nYXRlIGNoYXJhY3RlcnMu IFRoZSB0ZXN0IHBhc3NlcyBpZiBXZWJLaXQgZG9lc24ndCBjcmFzaCBvciBoaXQgYW4gc3NlcnRp b24uIjwvc3Bhbj4KKzxzY3JpcHQ+CisgICAgaWYgKHdpbmRvdy50ZXN0UnVubmVyKQorICAgICAg ICB0ZXN0UnVubmVyLmR1bXBBc1RleHQoKTsKKyAgICAgICAgCisgICAgc3Bhbi5vZmZzZXRQYXJl bnQuYmVmb3JlKGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoImZyYW1lc2V0IikpOworICAgIHNwYW4u cHJlcGVuZCgiXHVkODAwIik7CisgICAgZG9jdW1lbnQuZXhlY0NvbW1hbmQoInNlbGVjdEFsbCIs IHRydWUpOworICAgIGRvY3VtZW50LmV4ZWNDb21tYW5kKCJjb3B5IiwgdHJ1ZSk7CisgICAgZG9j dW1lbnQuZ2V0RWxlbWVudEJ5SWQoInNwYW4iKS5yZW1vdmUoKTsKKzwvc2NyaXB0Pgo=