Bug 218493

Summary: Null Ptr Deref @ WebCore::ReplaceSelectionCommand::doApply
Product: WebKit Reporter: Ian Gilbert <iang>
Component: HTML EditingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, bfulgham, cgarcia, ews-feeder, fred.wang, gpoo, product-security, rbuis, rniwa, rwlbuis, svillar, webkit-bug-importer, wenson_hsieh, youennf
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Crashing Input
none
Reduced crashing input
none
More reduced testcase
none
Patch
achristensen: review-, ews-feeder: commit-queue-
Patch
youennf: review+, ews-feeder: commit-queue-
Patch for landing ews-feeder: commit-queue-

Ian Gilbert
Reported 2020-11-03 02:40:34 PST
Description: Crash found by fuzzing. Reproduces on WebKit revision 265372. Stack Trace =========== 0 com.apple.WebCore 0x00000001114dd9cb WebCore::ReplaceSelectionCommand::doApply() + 17483 1 com.apple.WebCore 0x00000001100cbbc4 WebCore::CompositeEditCommand::apply() + 500 2 com.apple.WebCore 0x00000001114bc59a WebCore::executeInsertFragment(WebCore::Frame&, WTF::Ref<WebCore::DocumentFragment, WTF::DumbPtrTraits<WebCore::DocumentFragment> >&&) + 74 3 com.apple.WebCore 0x00000001114bc6d4 WebCore::executeInsertNode(WebCore::Frame&, WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >&&) + 180 4 com.apple.WebCore 0x00000001114b784b WebCore::executeInsertImage(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) + 75 5 com.apple.WebCore 0x000000011013123d WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) + 77 6 com.apple.WebCore 0x000000011053897c WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::JSGlobalObject*, JSC::CallFrame*) + 428 7 ??? 0x000026435ce01178 0 + 42070762852728 8 com.apple.JavaScriptCore 0x000000010de7a95e llint_entry + 104810 9 com.apple.JavaScriptCore 0x000000010de60dff vmEntryToJavaScript + 216 10 com.apple.JavaScriptCore 0x000000010e49f536 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 518
Attachments
Crashing Input (475.17 KB, text/html)
2020-11-03 02:41 PST, Ian Gilbert 		no flags
Details
Reduced crashing input (1.65 KB, text/html)
2020-11-05 00:31 PST, Ian Gilbert 		no flags
Details
More reduced testcase (481 bytes, text/plain)
2020-11-12 12:58 PST, Rob Buis 		no flags
Details
Patch (3.86 KB, patch)
2021-01-21 03:28 PST, Carlos Garcia Campos 		achristensen: review-
ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (4.47 KB, patch)
2021-01-22 01:52 PST, Carlos Garcia Campos 		youennf: review+
ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch for landing (4.92 KB, patch)
2021-01-22 04:29 PST, Carlos Garcia Campos 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2020-11-03 02:40:51 PST
<rdar://problem/70987255>
Ian Gilbert
Comment 2 2020-11-03 02:41:29 PST
Created attachment 413027 [details] Crashing Input
Ryosuke Niwa
Comment 3 2020-11-03 13:07:23 PST
<rdar://problem/68276643>
Ian Gilbert
Comment 4 2020-11-05 00:31:21 PST
Created attachment 413269 [details] Reduced crashing input
Rob Buis
Comment 5 2020-11-12 12:58:47 PST
Created attachment 413970 [details] More reduced testcase
Carlos Garcia Campos
Comment 6 2021-01-21 03:28:45 PST
Created attachment 418028 [details] Patch I'm including the test assuming there's no security implication here, since it's just another null check missing. Please confirm.
Alex Christensen
Comment 7 2021-01-21 09:27:38 PST
Comment on attachment 418028 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=418028&action=review Yep, this test can be included. WebKitLegacy seems to be asserting in fragmentNeedsColorTransformed. We should probably fix that too before landing. The null check seems fine though. > Source/WebCore/editing/ReplaceSelectionCommand.cpp:1208 > + if (insertionPos.containerNode() && insertionPos.containerNode()->isTextNode() && insertionPos.offsetInContainerNode() && !insertionPos.atLastEditingPositionForNode()) { We could use if-with-initializer to avoid calling containerNode twice.
Carlos Garcia Campos
Comment 8 2021-01-22 01:49:48 PST
(In reply to Alex Christensen from comment #7) > Comment on attachment 418028 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=418028&action=review > > Yep, this test can be included. > WebKitLegacy seems to be asserting in fragmentNeedsColorTransformed. We > should probably fix that too before landing. The null check seems fine > though. Yes, it's here: RefPtr<Element> editableRoot = insertionPos.rootEditableElement(); ASSERT(editableRoot); if (!editableRoot) return false; I think the assert is wrong and the early return correct, so we can just remove the assert. > > Source/WebCore/editing/ReplaceSelectionCommand.cpp:1208 > > + if (insertionPos.containerNode() && insertionPos.containerNode()->isTextNode() && insertionPos.offsetInContainerNode() && !insertionPos.atLastEditingPositionForNode()) { > > We could use if-with-initializer to avoid calling containerNode twice. Sure.
Carlos Garcia Campos
Comment 9 2021-01-22 01:52:25 PST
Created attachment 418119 [details] Patch
Carlos Garcia Campos
Comment 10 2021-01-22 03:26:48 PST
Now it's hitting another assert, but I can't reproduce it this time. I'll investigate.
youenn fablet
Comment 11 2021-01-22 03:29:25 PST
Comment on attachment 418119 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=418119&action=review > Source/WebCore/editing/ReplaceSelectionCommand.cpp:1209 > + splitTextNode(*insertionPos.containerText(), insertionPos.offsetInContainerNode()); Do we have a guarantee that insertionPos.containerText() cannot be null? Is it ensured from containerNode->isTextNode()? Looking at Position::containerText(), it seems to depend on anchorType being PositionIsOffsetInAnchor.
Carlos Garcia Campos
Comment 12 2021-01-22 04:13:37 PST
I was running the wrong test, I can indeed reproduce the new assert too.
Carlos Garcia Campos
Comment 13 2021-01-22 04:27:16 PST
(In reply to youenn fablet from comment #11) > Comment on attachment 418119 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=418119&action=review > > > Source/WebCore/editing/ReplaceSelectionCommand.cpp:1209 > > + splitTextNode(*insertionPos.containerText(), insertionPos.offsetInContainerNode()); > > Do we have a guarantee that insertionPos.containerText() cannot be null? Is > it ensured from containerNode->isTextNode()? > Looking at Position::containerText(), it seems to depend on anchorType being > PositionIsOffsetInAnchor. Not an expert in editing code, but I think it's the whole condition: containerNode->isTextNode() && insertionPos.offsetInContainerNode() && !insertionPos.atLastEditingPositionForNode()
Carlos Garcia Campos
Comment 14 2021-01-22 04:29:10 PST
Created attachment 418137 [details] Patch for landing
EWS
Comment 15 2021-01-25 00:26:44 PST
commit-queue failed to commit attachment 418137 [details] to WebKit repository.
Carlos Garcia Campos
Comment 16 2021-01-25 00:33:22 PST
Committed r271787: <https://trac.webkit.org/changeset/271787>
Note You need to log in before you can comment on or make changes to this bug.