Summary: | Nullptr crash in CompositeEditCommand::moveParagraphContentsToNewBlockIfNecessary with draggable text | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Jack <shihchieh_lee> | ||||||
Component: | HTML Editing | Assignee: | Jack <shihchieh_lee> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | Normal | CC: | bfulgham, ews-feeder, product-security, rniwa, webkit-bug-importer, wenson_hsieh | ||||||
Priority: | P2 | Keywords: | InRadar | ||||||
Version: | WebKit Nightly Build | ||||||||
Hardware: | All | ||||||||
OS: | All | ||||||||
Attachments: |
|
Description
Jack
2020-04-03 21:54:10 PDT
Root cause: In function moveParagraphContentsToNewBlockIfNecessary, an empty VisiblePosition is derefed for its anchor node. 1. Because span has attribute “draggable” set to true, its “UserSelect” style is set to none. 2. When “justifyCenter” command executes on the shadow element, we try to move the whole paragraph to a new block by calling moveParagraphContentsToNewBlockIfNecessary. 3. In moveParagraphContentsToNewBlockIfNecessary, we find the end of the paragraph by calling endOfParagraph. 4. However, endOfParagraph returns empty visible position because function canonicalPosition cannot find a candidate position. 5. The text node is supposed to be the end of the paragraph, but its parent, <span>, has UserSelect::None style, so it is not selected by canonicalPosition(). 6. Later the empty endOfParagraph is deref for its null anchor node, and the code crashes. <style> #SHADOW { initial; -webkit-user-select: text; } #LABEL { -webkit-user-select: all; } </style> <script> window.onload = () => { window.getSelection().collapse(SHADOW); document.execCommand("justifyCenter", false); } </script> <label id=LABEL contenteditable="true"><shadow id=SHADOW></shadow><span draggable="true">a BODY 0x60c000086e00 (renderer 0x612000071140) LABEL 0x60c000086ec0 (renderer 0x6110000d1f00) SHADOW 0x60c000086f80 (renderer 0x6110000d2040) SPAN 0x60c000087040 (renderer 0x6110000d2180) * #text 0x6080000501a0 "a\n" Please refer to <rdar://58978340>. (In reply to Radar WebKit Bug Importer from comment #1) > <rdar://problem/61288781> This was caused by accidental save of the bug. Created attachment 395437 [details]
Patch
Comment on attachment 395437 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=395437&action=review > Source/WebCore/editing/CompositeEditCommand.cpp:1184 > + Nit: whitespace. There is no security implication here. Created attachment 395602 [details]
Patch for landing
Committed r259595: <https://trac.webkit.org/changeset/259595> All reviewed patches have been landed. Closing bug and clearing flags on attachment 395602 [details]. |