Bug 249862
| Summary: | VisibleSelection::nonBoundaryShadowTreeRootNode should return null when its anchor is a shadow root | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Ahmad Saleem <ahmad.saleem792> |
| Component: | DOM | Assignee: | Chris Dumez <cdumez> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | bfulgham, cdumez, rniwa, webkit-bug-importer, wenson_hsieh |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Ahmad Saleem
Hi Team,
Just going through Blink, I came across another Heap-use-after-free bug, which is not fixed while it was fixed in Chrome / Blink.
I don't know whether it is applicable for WebKit or not or we have other fixes, which render it useless but I just wanted to raise it behind curtain to get input. I have already messaged rniwa on Slack to get his input.
Blink Commit - https://src.chromium.org/viewvc/blink?view=revision&revision=188788
WebKit Source - https://github.com/WebKit/WebKit/blob/8174a9300cd8edff3c4fc20f5c8d62cd4fa927a9/Source/WebCore/editing/VisibleSelection.cpp#L687
Just wanted to raise it so WebKit can be more awesome.
Thanks!
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/103683388>
Ryosuke Niwa
We've mitigated this in some other way.
Chris Dumez
Even though we don't have a security bug here. The Blink test case still hits an assertion in our code in debug and our selection behavior differs from Chrome and Firefox. We probably still want to cherry-pick the fix.
Chris Dumez
Pull request: https://github.com/WebKit/WebKit/pull/16274
EWS
Committed 266505@main (786e20b52145): <https://commits.webkit.org/266505@main>
Reviewed commits have been landed. Closing PR #16274 and removing active labels.