RESOLVED FIXED 218132
Null dereference in CompositeEditCommand::cloneParagraphUnderNewElement() due to not checking for top of DOM tree 
https://bugs.webkit.org/show_bug.cgi?id=218132
Summary Null dereference in CompositeEditCommand::cloneParagraphUnderNewElement() due...
Julian Gonzalez
Reported 2020-10-23 11:51:38 PDT
e.g. #0 0x2d60df731 in WebCore::Node::parentNode() const+0x21 #1 0x2da279932 in WebCore::CompositeEditCommand::cloneParagraphUnderNewElement(WebCore::Position const&, WebCore::Position const&, WebCore::Node*, WebCore::Element*)+0x882 #2 0x2da27a567 in WebCore::CompositeEditCommand::moveParagraphWithClones(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, WebCore::Element*, WebCore::Node*)+0x327 #3 0x2da309ced in WebCore::IndentOutdentCommand::indentIntoBlockquote(WebCore::Position const&, WebCore::Position const&, WTF::RefPtr<WebCore::Element, WTF::DumbPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element> >&)+0x53d #4 0x2da30b75c in WebCore::IndentOutdentCommand::formatRange(WebCore::Position const&, WebCore::Position const&, WebCore::Position const&, WTF::RefPtr<WebCore::Element, WTF::DumbPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element> >&)+0x3c #5 0x2da256c41 in WebCore::ApplyBlockElementCommand::formatSelection(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&)+0xca1 #6 0x2da30b706 in WebCore::IndentOutdentCommand::formatSelection(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&)+0x36 #7 0x2da255a99 in WebCore::ApplyBlockElementCommand::doApply()+0x459 #8 0x2da2545c6 in WebCore::CompositeEditCommand::apply()+0x216 #9 0x2da313828 in WebCore::executeIndent(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&)+0xc8 #10 0x2da2d8d9b in WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const+0xdb #11 0x2d9f61aa3 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&)+0xf3 #12 0x2d7480189 in WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)+0x469 #13 0x2d732884b in long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)+0xfb #14 0x2d7328748 in WebCore::jsDocumentPrototypeFunction_execCommand(JSC::JSGlobalObject*, JSC::CallFrame*)+0x8 <rdar://problem/66894117> Null Ptr Deref @ WebCore::Node::parentNode const+0
Attachments
Patch (2.50 KB, patch)
2020-10-23 12:28 PDT, Julian Gonzalez 		no flags
DetailsFormatted DiffDiff
Patch (6.07 KB, patch)
2020-10-26 13:21 PDT, Julian Gonzalez 		no flags
DetailsFormatted DiffDiff
Reduced test case (598 bytes, text/html)
2020-10-26 20:36 PDT, Ryosuke Niwa 		no flags
Details
Patch (4.89 KB, patch)
2020-10-27 15:49 PDT, Julian Gonzalez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2020-10-23 11:51:52 PDT
<rdar://problem/70628729>
Julian Gonzalez
Comment 2 2020-10-23 12:28:42 PDT
Created attachment 412205 [details] Patch
Julian Gonzalez
Comment 3 2020-10-26 13:21:06 PDT
Created attachment 412348 [details] Patch
Ryosuke Niwa
Comment 4 2020-10-26 20:36:12 PDT
Created attachment 412383 [details] Reduced test case
Julian Gonzalez
Comment 5 2020-10-27 15:10:48 PDT
Thanks for the new test case! I will incorporate it into my patch - it should hopefully eliminate the test failure I see here (which I cannot reproduce locally).
Julian Gonzalez
Comment 6 2020-10-27 15:49:15 PDT
Created attachment 412471 [details] Patch
EWS
Comment 7 2020-10-28 22:26:14 PDT
Committed r269137: <https://trac.webkit.org/changeset/269137> All reviewed patches have been landed. Closing bug and clearing flags on attachment 412471 [details].
Ryosuke Niwa
Comment 8 2020-10-28 22:33:06 PDT
There is no security implication here.
Note You need to log in before you can comment on or make changes to this bug.