Bug 174267 - Selecting and right-clicking URL-like strings with IDNA-disallowed characters in host or authority causes rendering engine crash
Summary: Selecting and right-clicking URL-like strings with IDNA-disallowed characters...
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: WebKit Nightly Build
Hardware: Mac macOS 10.12
: P2 Normal
Assignee: Alex Christensen
Keywords: InRadar
: 178696 (view as bug list)
Depends on:
Reported: 2017-07-07 12:40 PDT by Jesse Shapiro
Modified: 2017-10-24 15:23 PDT (History)
5 users (show)

See Also:

Reproduction cases (234 bytes, text/html)
2017-07-07 12:40 PDT, Jesse Shapiro
no flags Details
Web process crash log (84.66 KB, text/plain)
2017-07-07 12:41 PDT, Jesse Shapiro
no flags Details
Patch (2.62 KB, patch)
2017-10-23 18:11 PDT, Alex Christensen
thorton: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jesse Shapiro 2017-07-07 12:40:45 PDT
Created attachment 314862 [details]
Reproduction cases

Reproduced in MacOS 10.12.5 with Safari 10.1.1 (12603.2.4) as well as WebKit Nightly 10.1.1 (12603.2.4, r219255).
A friend attempted to reproduce the failure case with OS X 10.10.4 and Safari 8.0.7 (10600.7.12), and did not observe the problematic behavior.

Expected behavior:

Selecting any given amount of arbitrary text and right-clicking it does not crash the webpage process.

Actual behavior:

When selecting and then right-clicking text of the following format, the webpage process crashes:

1. The text has the appearance of a URL (scheme://host at a minimum). The scheme need not be an actual recognized scheme.
2. The host and/or authority component of the supposed URL contain one of a range of characters. All known reproduction cases involve characters that are IDNA disallowed. For example, Ⴀ or …. Any of these characters in the scheme, port, or path of the URL do not cause a crash.

This is easiest to reproduce when the text in question the user-visible text of an <a> tag, since right-clicking a link selects the text. Thus, an HTML file with minimal reproduction cases is included. However, it can be reproduced by simply selecting plain text, and then right-clicking. Demonstration:


Crash log to be attached after submission. Looking at it, it appears as though upon right-clicking any selected text, a check is made to determine if it's a navigable URL, and the error occurs in this process.
Comment 1 Jesse Shapiro 2017-07-07 12:41:25 PDT
Created attachment 314863 [details]
Web process crash log
Comment 2 Jesse Shapiro 2017-07-07 12:52:00 PDT
Case that led to this submission:


See the documentation link URL in the repository subtitle - it's terminated with an ellipsis as it's too long for the space given, although the actual <a> tag points to the full URL.
Comment 3 Alexey Proskuryakov 2017-07-07 13:16:28 PDT
Comment 4 Alex Christensen 2017-10-23 18:11:23 PDT
Created attachment 324623 [details]
Comment 5 Alex Christensen 2017-10-23 18:12:11 PDT
*** Bug 178696 has been marked as a duplicate of this bug. ***
Comment 6 Alex Christensen 2017-10-24 15:23:25 PDT