RESOLVED FIXED 211658
Nullptr crash in LegacyWebArchive::createPropertyListRepresentation when copying selected range that contains surrogate characters 
https://bugs.webkit.org/show_bug.cgi?id=211658
Summary Nullptr crash in LegacyWebArchive::createPropertyListRepresentation when copy...
Jack
Reported 2020-05-08 20:25:00 PDT
<rdar://62844424> 0 com.apple.WebCore 0x000000010b25c4ef WebCore::LegacyWebArchive::createPropertyListRepresentation(WebCore::Archive&) + 47 1 com.apple.WebCore 0x000000010b25c631 WebCore::LegacyWebArchive::createPropertyListRepresentation(WebCore::Archive&) + 369 2 com.apple.WebCore 0x0000000109c444db WebCore::LegacyWebArchive::rawDataRepresentation() + 27 3 com.apple.WebCore 0x000000010a146af9 WebCore::Editor::selectionInWebArchiveFormat() + 57 4 com.apple.WebCore 0x000000010a1460eb WebCore::Editor::writeSelectionToPasteboard(WebCore::Pasteboard&) + 299 5 com.apple.WebCore 0x000000010ae8ca37 WebCore::Editor::performCutOrCopy(WebCore::Editor::EditorActionSpecifier) + 535 6 com.apple.WebCore 0x000000010aeb3287 WebCore::executeCopy(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) + 23 7 com.apple.WebCore 0x0000000109c327b1 WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) + 81 8 com.apple.WebCore 0x000000010a02a23a WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::JSGlobalObject*, JSC::CallFrame*) + 426
Attachments
Patch (3.89 KB, patch)
2020-05-08 21:06 PDT, Jack 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Jack
Comment 1 2020-05-08 20:25:37 PDT
<body><span id=span></span> <script> span.offsetParent.before(document.createElement("frameset")); span.prepend("\ud800"); document.execCommand("selectAll", true); document.execCommand("copy", true); </script> 1. In this test case we are processing copy command and try to create LegacyWebArchive to describe the selected elements. 2. One element in the selection contains surrogate pairs so function convertUTF16ToUTF8() fails which makes creation of LegacyWebArchive to fail. 3. However, function LegacyWebArchive::createFromSelection does not check null LegacyWebArchive and continue to add the Ref() of it into a vector. 4. Eventually in LegacyWebArchive::createPropertyListRepresentation() it crashes when we try to pop the Ref() of LegacyWebArchive from the vetor and dereference the pointer of Ref(). Node tree when we are creating LegacyWebArchive: *#document 0x106fc5ba0 (renderer 0x106fc5210) HTML 0x106fc6800 (renderer 0x106fc56c0) HEAD 0x106fc6890 (renderer 0x0) FRAMESET 0x106fc6d30 (renderer 0x106fc6e40) BODY 0x106fc6920 (renderer 0x106fc57f0) SPAN 0x106fc69b0 (renderer 0x106fc6bd0) #text 0x106fc6de0 "???" #text 0x106fc6a40 "\n" SCRIPT 0x106fc6aa0 (renderer 0x0) #text 0x106fc6b70 "\n span.offsetParent.before(document.createElement("frameset"));\n span.prepend("\\ud800");\n document.execCommand("selectAll", true);\n document.execCommand("copy", true);\n"
Jack
Comment 2 2020-05-08 21:06:53 PDT
Created attachment 398914 [details] Patch
EWS
Comment 3 2020-05-09 01:07:33 PDT
Committed r261434: <https://trac.webkit.org/changeset/261434> All reviewed patches have been landed. Closing bug and clearing flags on attachment 398914 [details].
Note You need to log in before you can comment on or make changes to this bug.