286307 2025-01-21 10:49:37 -0800 nullptr crash | WebCore::isScriptElement; WebCore::SVGAnimatedString::setBaseVal; 2025-01-21 22:12:15 -0800 1 1 1 Unclassified WebKit SVG WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 ja_lopezlozoya webkit-unassigned bfulgham darin rniwa sabouhallawa webkit-bug-importer zimmermann oldest_to_newest 2088726 0 ja_lopezlozoya 2025-01-21 10:49:37 -0800 We are calling isScriptElement with passing an element that is null so we needed to add a null check before calling that function. Test case: <p>This test passes if it doesn't crash.</p> <script> if (testRunner) testRunner.dumpAsText(); let animatedString = (() => { return (new Document).createElementNS('http://www.w3.org/2000/svg', 'text').className; })(); if (window.GCController) GCController.collect(); animatedString.baseVal = 'foo'; let newValue = animatedString.baseVal; document.write(newValue == 'foo' ? 'PASS' : `FAIL - ${newValue}`); </script> Backtrace: #0 0x13ad0e43c in WebCore::isScriptElement(WebCore::Element&)+0x38 (/Users/lopezlozoya/repo/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:arm64e+0x5d3643c) #1 0x13e7e023c in WebCore::SVGAnimatedString::setBaseVal(std::__1::variant<WTF::String, WTF::RefPtr<WebCore::TrustedScriptURL, WTF::RawPtrTraits<WebCore::TrustedScriptURL>, WTF::DefaultRefDerefTraits<WebCore::TrustedScriptURL>>> const&)+0xf4 (/Users/lopezlozoya/repo/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:arm64e+0x980823c) #2 0x137464238 in WebCore::setJSSVGAnimatedString_baseValSetter(JSC::JSGlobalObject&, WebCore::JSSVGAnimatedString&, JSC::JSValue)+0x260 (/Users/lopezlozoya/repo/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:arm64e+0x248c238) #3 0x1373c163c in WebCore::setJSSVGAnimatedString_baseVal(JSC::JSGlobalObject*, long long, long long, JSC::PropertyName)+0x14c (/Users/lopezlozoya/repo/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:arm64e+0x23e963c) #4 0x11ffe8d2c in JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)+0x6a4 (/Users/lopezlozoya/repo/OpenSource/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64e+0x3250d2c) #5 0x11f715644 in operationPutByIdSloppyOptimize+0x6e0 (/Users/lopezlozoya/repo/OpenSource/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64e+0x297d644) #6 0x1461b8110 (<unknown module>) #7 0x146181304 (<unknown module>) #8 0x14641f834 (<unknown module>) #9 0x14614c544 (<unknown module>) #10 0x11f4d5c94 in JSC::Interpreter::executeCall(JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x838 (/Users/lopezlozoya/repo/OpenSource/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:arm64e+0x273dc94) 2088727 1 webkit-bug-importer 2025-01-21 10:49:50 -0800 <rdar://problem/143330345> 2088729 2 darin 2025-01-21 11:00:32 -0800 Is a null pointer dereference a heap-use-after-free? 2088733 3 darin 2025-01-21 11:03:13 -0800 The fix to this null pointer dereference is super-simple: isScriptElement(*el) needs to become isScriptElement(el) without the *. I am surprised that it’s a security issue though. Seems more like a non-security fuzzing blocker to me. 2088734 4 ja_lopezlozoya 2025-01-21 11:05:36 -0800 Thanks for the feedback Darin, I'll try that approach. This was classified as Security from a fuzzer so I created the bug with the same classification. 2088742 5 darin 2025-01-21 11:12:57 -0800 Sounds OK. I wonder how the fuzzer classifies things. It’s possible that it is right and I am wrong, but I would like to understand eventually. 2088754 6 ja_lopezlozoya 2025-01-21 11:34:47 -0800 Pull request: https://github.com/apple/WebKit/pull/2461 2088763 7 sabouhallawa 2025-01-21 11:52:25 -0800 rdar://143330345 2088764 8 sabouhallawa 2025-01-21 11:54:22 -0800 rdar://141021945 2088825 9 ja_lopezlozoya 2025-01-21 15:25:03 -0800 This was reclassified as non security bug. It is C/H/D bug. 2088826 10 ja_lopezlozoya 2025-01-21 15:28:33 -0800 Pull request: https://github.com/WebKit/WebKit/pull/39349 2088888 11 ews-feeder 2025-01-21 22:12:13 -0800 Committed 289221@main (a722b348044c): <https://commits.webkit.org/289221@main> Reviewed commits have been landed. Closing PR #39349 and removing active labels.