31684 2009-11-19 13:54:16 -0800 WebCore::Range::surroundContents NULL pointer crash 2019-02-06 09:03:11 -0800 1 1 1 Unclassified WebKit DOM 528+ (Nightly build) All All RESOLVED FIXED http://skypher.com/SkyLined/Repro/WebKit/Bug%2031684%20-%20WebCore..Range..surroundContents%20NULL%20pointer/repro.html P1 Normal --- 1 skylined webkit-unassigned ap cdumez commit-queue eric morrita webkit.review.bot oldest_to_newest 165081 0 43520 skylined 2009-11-19 13:54:16 -0800 Created attachment 43520 Repro The following HTML triggers a NULL pointer in "WebCore::Range::surroundContents": <SCRIPT> range=document.createRange(); text=document.createTextNode(''); range.selectNodeContents(text); element=document.createElement("l"); range.surroundContents(element); </SCRIPT> Relevant call stack (in Chromium): WebCore::Range::surroundContents(class WTF::PassRefPtr<WebCore::Node> passNewParent = class WTF::PassRefPtr<WebCore::Node>, int * ec = 0x0012f220)+0x113 WebCore::RangeInternal::surroundContentsCallback(class v8::Arguments * args = 0x00000000)+0xac 165084 1 skylined 2009-11-19 13:57:11 -0800 Added online repro URL 173493 2 45226 morrita 2009-12-19 00:37:50 -0800 Created attachment 45226 patch v1 173494 3 morrita 2009-12-19 00:40:10 -0800 Added NULL guard null throws exception. Note that Firefox also throws an exception (NS_ERROR_UNEXPECTED) in the case. 173495 4 webkit.review.bot 2009-12-19 00:42:22 -0800 style-queue ran check-webkit-style on attachment 45226 without any errors. 173541 5 45226 commit-queue 2009-12-19 10:30:50 -0800 Comment on attachment 45226 patch v1 Clearing flags on attachment: 45226 Committed r52388: <http://trac.webkit.org/changeset/52388> 173542 6 commit-queue 2009-12-19 10:30:55 -0800 All reviewed patches have been landed. Closing bug. 1502919 7 lforschler 2019-02-06 09:03:11 -0800 Mass moving XML DOM bugs to the "DOM" Component. 43520 2009-11-19 13:54:16 -0800 2009-11-19 13:54:16 -0800 Repro repro.html text/html 200 skylined PFNDUklQVD4NCiAgcmFuZ2U9ZG9jdW1lbnQuY3JlYXRlUmFuZ2UoKTsNCiAgdGV4dD1kb2N1bWVu dC5jcmVhdGVUZXh0Tm9kZSgnJyk7DQogIHJhbmdlLnNlbGVjdE5vZGVDb250ZW50cyh0ZXh0KTsN CiAgZWxlbWVudD1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCJsIik7DQogIHJhbmdlLnN1cnJvdW5k Q29udGVudHMoZWxlbWVudCk7DQo8L1NDUklQVD4= 45226 2009-12-19 00:37:50 -0800 2009-12-19 10:30:49 -0800 patch v1 bug-31684-20091219173748.patch text/plain 3732 morrita ZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxv ZwppbmRleCA2ZDQ0NGFjLi42Y2I2YmVkIDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0cy9DaGFuZ2VM b2cKKysrIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTUgQEAKKzIwMDktMTIt MTkgIE1PUklUQSBIYWppbWUgIDxtb3JyaXRhQGdtYWlsLmNvbT4KKworICAgICAgICBSZXZpZXdl ZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBXZWJDb3JlOjpSYW5nZTo6c3Vycm91bmRD b250ZW50cyBOVUxMIHBvaW50ZXIgY3Jhc2guCisKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtp dC5vcmcvc2hvd19idWcuY2dpP2lkPTMxNjg0CisKKyAgICAgICAgKiBmYXN0L2RvbS9SYW5nZS8z MTY4NC1leHBlY3RlZC50eHQ6IEFkZGVkLgorICAgICAgICAqIGZhc3QvZG9tL1JhbmdlLzMxNjg0 Lmh0bWw6IEFkZGVkLgorICAgICAgICAqIGZhc3QvZG9tL1JhbmdlL3NjcmlwdC10ZXN0cy8zMTY4 NC5qczogQWRkZWQuCisKIDIwMDktMTItMTggIFNpbW9uIEZyYXNlciAgPHNpbW9uLmZyYXNlckBh cHBsZS5jb20+CiAKICAgICAgICAgUmV2aWV3ZWQgYnkgRGFyaW4gQWRsZXIuCmRpZmYgLS1naXQg YS9MYXlvdXRUZXN0cy9mYXN0L2RvbS9SYW5nZS8zMTY4NC1leHBlY3RlZC50eHQgYi9MYXlvdXRU ZXN0cy9mYXN0L2RvbS9SYW5nZS8zMTY4NC1leHBlY3RlZC50eHQKbmV3IGZpbGUgbW9kZSAxMDA2 NDQKaW5kZXggMDAwMDAwMC4uMmQ1YzZiYwotLS0gL2Rldi9udWxsCisrKyBiL0xheW91dFRlc3Rz L2Zhc3QvZG9tL1JhbmdlLzMxNjg0LWV4cGVjdGVkLnR4dApAQCAtMCwwICsxLDEwIEBACitUaGlz IHRlc3QgY2hlY2tzIGFuIG9ycGhhbiB0ZXh0IG5vZGUgY2Fubm90IGJlIHN1cnJvdW5kZWQgYnkg dGhlIHJhbmdlLiAoYnVnMzE2ODQpCisKK09uIHN1Y2Nlc3MsIHlvdSB3aWxsIHNlZSBhIHNlcmll cyBvZiAiUEFTUyIgbWVzc2FnZXMsIGZvbGxvd2VkIGJ5ICJURVNUIENPTVBMRVRFIi4KKworCitQ QVNTIHJhbmdlLnN1cnJvdW5kQ29udGVudHMoZWxlbWVudCkgdGhyZXcgZXhjZXB0aW9uIEVycm9y OiBISUVSQVJDSFlfUkVRVUVTVF9FUlI6IERPTSBFeGNlcHRpb24gMy4KK1BBU1Mgc3VjY2Vzc2Z1 bGx5UGFyc2VkIGlzIHRydWUKKworVEVTVCBDT01QTEVURQorCmRpZmYgLS1naXQgYS9MYXlvdXRU ZXN0cy9mYXN0L2RvbS9SYW5nZS8zMTY4NC5odG1sIGIvTGF5b3V0VGVzdHMvZmFzdC9kb20vUmFu Z2UvMzE2ODQuaHRtbApuZXcgZmlsZSBtb2RlIDEwMDY0NAppbmRleCAwMDAwMDAwLi5iNjZhY2Ri Ci0tLSAvZGV2L251bGwKKysrIGIvTGF5b3V0VGVzdHMvZmFzdC9kb20vUmFuZ2UvMzE2ODQuaHRt bApAQCAtMCwwICsxLDEzIEBACis8IURPQ1RZUEUgSFRNTCBQVUJMSUMgIi0vL0lFVEYvL0RURCBI VE1MLy9FTiI+Cis8aHRtbD4KKzxoZWFkPgorPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiBocmVmPSIu Li8uLi9qcy9yZXNvdXJjZXMvanMtdGVzdC1zdHlsZS5jc3MiPgorPHNjcmlwdCBzcmM9Ii4uLy4u L2pzL3Jlc291cmNlcy9qcy10ZXN0LXByZS5qcyI+PC9zY3JpcHQ+Cis8L2hlYWQ+Cis8Ym9keT4K KzxwIGlkPSJkZXNjcmlwdGlvbiI+PC9wPgorPGRpdiBpZD0iY29uc29sZSI+PC9kaXY+Cis8c2Ny aXB0IHNyYz0ic2NyaXB0LXRlc3RzLzMxNjg0LmpzIj48L3NjcmlwdD4KKzxzY3JpcHQgc3JjPSIu Li8uLi9qcy9yZXNvdXJjZXMvanMtdGVzdC1wb3N0LmpzIj48L3NjcmlwdD4KKzwvYm9keT4KKzwv aHRtbD4KZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL2Zhc3QvZG9tL1JhbmdlL3NjcmlwdC10ZXN0 cy8zMTY4NC5qcyBiL0xheW91dFRlc3RzL2Zhc3QvZG9tL1JhbmdlL3NjcmlwdC10ZXN0cy8zMTY4 NC5qcwpuZXcgZmlsZSBtb2RlIDEwMDY0NAppbmRleCAwMDAwMDAwLi5hNzU5NDEwCi0tLSAvZGV2 L251bGwKKysrIGIvTGF5b3V0VGVzdHMvZmFzdC9kb20vUmFuZ2Uvc2NyaXB0LXRlc3RzLzMxNjg0 LmpzCkBAIC0wLDAgKzEsMTEgQEAKK2Rlc2NyaXB0aW9uKAorICAgICJUaGlzIHRlc3QgY2hlY2tz IGFuIG9ycGhhbiB0ZXh0IG5vZGUgY2Fubm90IGJlIHN1cnJvdW5kZWQgYnkgdGhlIHJhbmdlLiAo YnVnMzE2ODQpIgorKTsKKwordmFyIHJhbmdlID0gZG9jdW1lbnQuY3JlYXRlUmFuZ2UoKTsKK3Zh ciB0ZXh0ID0gZG9jdW1lbnQuY3JlYXRlVGV4dE5vZGUoJ2hlbGxvJyk7Cit2YXIgZWxlbWVudCA9 IGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoImRpdiIpOworcmFuZ2Uuc2VsZWN0Tm9kZUNvbnRlbnRz KHRleHQpOworCitzaG91bGRUaHJvdygicmFuZ2Uuc3Vycm91bmRDb250ZW50cyhlbGVtZW50KSIs ICciRXJyb3I6IEhJRVJBUkNIWV9SRVFVRVNUX0VSUjogRE9NIEV4Y2VwdGlvbiAzIicpOwordmFy IHN1Y2Nlc3NmdWxseVBhcnNlZCA9IHRydWU7CmRpZmYgLS1naXQgYS9XZWJDb3JlL0NoYW5nZUxv ZyBiL1dlYkNvcmUvQ2hhbmdlTG9nCmluZGV4IGMyOGM2OWUuLmQ5NzhjMzQgMTAwNjQ0Ci0tLSBh L1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1dlYkNvcmUvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTcg QEAKKzIwMDktMTItMTkgIE1PUklUQSBIYWppbWUgIDxtb3JyaXRhQGdtYWlsLmNvbT4KKworICAg ICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBXZWJDb3JlOjpSYW5n ZTo6c3Vycm91bmRDb250ZW50cyBOVUxMIHBvaW50ZXIgY3Jhc2guCisKKyAgICAgICAgaHR0cHM6 Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTMxNjg0CisKKyAgICAgICAgVGVzdDog ZmFzdC9kb20vUmFuZ2UvMzE2ODQuaHRtbAorCisgICAgICAgICogZG9tL1JhbmdlLmNwcDoKKyAg ICAgICAgKFdlYkNvcmU6OlJhbmdlOjpzdXJyb3VuZENvbnRlbnRzKToKKyAgICAgICAgdGhyb3cg ZXhjZXB0aW9uIHdoZW4gcGFyZW50T2ZOZXdQYXJlbnQtPnBhcmVudE5vZGUoKSBpcyBOVUxMLgor CiAyMDA5LTEyLTE4ICBOaWtvbGFzIFppbW1lcm1hbm4gIDxuemltbWVybWFubkByaW0uY29tPgog CiAgICAgICAgIE5vdCByZXZpZXdlZC4gTWVzc2VkIHVwIHRoZSBYQ29kZSBmaWxlLCB0cnlpbmcg dG8gZml4LgpkaWZmIC0tZ2l0IGEvV2ViQ29yZS9kb20vUmFuZ2UuY3BwIGIvV2ViQ29yZS9kb20v UmFuZ2UuY3BwCmluZGV4IDg0YTQ2YzIuLmQ3ZGVjMmYgMTAwNjQ0Ci0tLSBhL1dlYkNvcmUvZG9t L1JhbmdlLmNwcAorKysgYi9XZWJDb3JlL2RvbS9SYW5nZS5jcHAKQEAgLTE0MTcsNyArMTQxNyw3 IEBAIHZvaWQgUmFuZ2U6OnN1cnJvdW5kQ29udGVudHMoUGFzc1JlZlB0cjxOb2RlPiBwYXNzTmV3 UGFyZW50LCBFeGNlcHRpb25Db2RlJiBlYykKICAgICAvLyBhbHRob3VnaCB0aGlzIHdpbGwgZmFp bCBiZWxvdyBmb3IgYW5vdGhlciByZWFzb24pLgogICAgIGlmIChwYXJlbnRPZk5ld1BhcmVudC0+ aXNDaGFyYWN0ZXJEYXRhTm9kZSgpKQogICAgICAgICBwYXJlbnRPZk5ld1BhcmVudCA9IHBhcmVu dE9mTmV3UGFyZW50LT5wYXJlbnROb2RlKCk7Ci0gICAgaWYgKCFwYXJlbnRPZk5ld1BhcmVudC0+ Y2hpbGRUeXBlQWxsb3dlZChuZXdQYXJlbnQtPm5vZGVUeXBlKCkpKSB7CisgICAgaWYgKCFwYXJl bnRPZk5ld1BhcmVudCB8fCAhcGFyZW50T2ZOZXdQYXJlbnQtPmNoaWxkVHlwZUFsbG93ZWQobmV3 UGFyZW50LT5ub2RlVHlwZSgpKSkgewogICAgICAgICBlYyA9IEhJRVJBUkNIWV9SRVFVRVNUX0VS UjsKICAgICAgICAgcmV0dXJuOwogICAgIH0K