RESOLVED FIXED Bug 220392
null ptr deref with ::highlight {background: red}
https://bugs.webkit.org/show_bug.cgi?id=220392
Summary null ptr deref with ::highlight {background: red}
Ryosuke Niwa
Reported 2021-01-06 17:16:31 PST
Created attachment 417142 [details] Test AddressSanitizer: SEGV on unknown address 0x00000000000c (pc 0x0002274bf3c2 bp 0x7ffee9a9fe40 sp 0x7ffee9a9fe40 T0) #0 0x2274bf3c2 in WTF::Vector<WTF::AtomString, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::size() const+0x22 (WebCore.framework/Versions/A/WebCore:x86_64+0x7d3c2) #1 0x2274bf431 in WTF::Vector<WTF::AtomString, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::at(unsigned long) const+0x11 (WebCore.framework/Versions/A/WebCore:x86_64+0x7d431) #2 0x22a9d198a in WTF::Vector<WTF::AtomString, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::first() const+0xa (WebCore.framework/Versions/A/WebCore:x86_64+0x358f98a) #3 0x22a9cc7ed in WebCore::SelectorChecker::checkOne(WebCore::SelectorChecker::CheckingContext&, WebCore::SelectorChecker::LocalContext const&, WebCore::SelectorChecker::MatchType&) const+0x9ad (WebCore.framework/Versions/A/WebCore:x86_64+0x358a7ed) #4 0x22a9ca7dd in WebCore::SelectorChecker::matchRecursively(WebCore::SelectorChecker::CheckingContext&, WebCore::SelectorChecker::LocalContext const&, WebCore::PseudoIdSet&) const+0x13d (WebCore.framework/Versions/A/WebCore:x86_64+0x35887dd) #5 0x22a9ca33d in WebCore::SelectorChecker::match(WebCore::CSSSelector const&, WebCore::Element const&, WebCore::SelectorChecker::CheckingContext&) const+0x18d (WebCore.framework/Versions/A/WebCore:x86_64+0x358833d) #6 0x22cdeedcf in WebCore::Style::ElementRuleCollector::ruleMatches(WebCore::Style::RuleData const&, unsigned int&)+0x43f (WebCore.framework/Versions/A/WebCore:x86_64+0x59acdcf) #7 0x22cdec067 in WebCore::Style::ElementRuleCollector::collectMatchingRulesForList(WTF::Vector<WebCore::Style::RuleData, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const*, WebCore::Style::MatchRequest const&)+0x227 (WebCore.framework/Versions/A/WebCore:x86_64+0x59aa067) #8 0x22cdebcc3 in WebCore::Style::ElementRuleCollector::collectMatchingRules(WebCore::Style::MatchRequest const&)+0x2f3 (WebCore.framework/Versions/A/WebCore:x86_64+0x59a9cc3) #9 0x22cdecf34 in WebCore::Style::ElementRuleCollector::collectMatchingAuthorRules()+0xc4 (WebCore.framework/Versions/A/WebCore:x86_64+0x59aaf34) #10 0x22cdece55 in WebCore::Style::ElementRuleCollector::matchAuthorRules()+0x15 (WebCore.framework/Versions/A/WebCore:x86_64+0x59aae55) #11 0x22ce5b88c in WebCore::Style::Resolver::pseudoStyleForElement(WebCore::Element const&, WebCore::Style::PseudoElementRequest const&, WebCore::RenderStyle const&, WebCore::RenderStyle const*, WebCore::SelectorFilter const*)+0x2ac (WebCore.framework/Versions/A/WebCore:x86_64+0x5a1988c) #12 0x22ce797c9 in WebCore::Style::TreeResolver::resolvePseudoStyle(WebCore::Element&, WebCore::Style::ElementUpdate const&, WebCore::PseudoId)+0x209 (WebCore.framework/Versions/A/WebCore:x86_64+0x5a377c9) #13 0x22ce786b5 in WebCore::Style::TreeResolver::resolveElement(WebCore::Element&)+0x7f5 (WebCore.framework/Versions/A/WebCore:x86_64+0x5a366b5) #14 0x22ce7a8ae in WebCore::Style::TreeResolver::resolveComposedTree()+0x55e (WebCore.framework/Versions/A/WebCore:x86_64+0x5a388ae) #15 0x22ce7bc18 in WebCore::Style::TreeResolver::resolve()+0x4b8 (WebCore.framework/Versions/A/WebCore:x86_64+0x5a39c18) #16 0x22ac09747 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType)+0x5b7 (WebCore.framework/Versions/A/WebCore:x86_64+0x37c7747) #17 0x22ac0a6fb in WebCore::Document::updateStyleIfNeeded()+0x23b (WebCore.framework/Versions/A/WebCore:x86_64+0x37c86fb) #18 0x22ac32e07 in WebCore::Document::finishedParsing()+0x247 (WebCore.framework/Versions/A/WebCore:x86_64+0x37f0e07) #19 0x22b56de84 in WebCore::HTMLConstructionSite::finishedParsing()+0x24 (WebCore.framework/Versions/A/WebCore:x86_64+0x412be84) #20 0x22b5d21dd in WebCore::HTMLTreeBuilder::finished()+0x1d (WebCore.framework/Versions/A/WebCore:x86_64+0x41901dd) #21 0x22b576cb7 in WebCore::HTMLDocumentParser::end()+0x17 (WebCore.framework/Versions/A/WebCore:x86_64+0x4134cb7) #22 0x22b574498 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd()+0x38 (WebCore.framework/Versions/A/WebCore:x86_64+0x4132498) #23 0x22b57436a in WebCore::HTMLDocumentParser::prepareToStopParsing()+0x10a (WebCore.framework/Versions/A/WebCore:x86_64+0x413236a) #24 0x22b576cff in WebCore::HTMLDocumentParser::attemptToEnd()+0x3f (WebCore.framework/Versions/A/WebCore:x86_64+0x4134cff) #25 0x22b576dd9 in WebCore::HTMLDocumentParser::finish()+0x29 (WebCore.framework/Versions/A/WebCore:x86_64+0x4134dd9) #26 0x22baf5400 in WebCore::DocumentWriter::end()+0x1a0 (WebCore.framework/Versions/A/WebCore:x86_64+0x46b3400) #27 0x22baa5dbc in WebCore::DocumentLoader::finishedLoading()+0x2dc (WebCore.framework/Versions/A/WebCore:x86_64+0x4663dbc) #28 0x22baa5739 in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&)+0x2c9 (WebCore.framework/Versions/A/WebCore:x86_64+0x4663739) #29 0x22bc7a79f in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&)+0x17f (WebCore.framework/Versions/A/WebCore:x86_64+0x483879f) #30 0x22bc74dee in WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&)+0x4e (WebCore.framework/Versions/A/WebCore:x86_64+0x4832dee) #31 0x22bc766a8 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&)+0x258 (WebCore.framework/Versions/A/WebCore:x86_64+0x48346a8) #32 0x22bbead92 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&)+0x732 (WebCore.framework/Versions/A/WebCore:x86_64+0x47a8d92) #33 0x21a0d3c66 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&)+0x286 (WebKit.framework/Versions/A/WebKit:x86_64+0x20d1c66) #34 0x21a7ad121 in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>&&, std::__1::integer_sequence<unsigned long, 0ul>)+0x61 (WebKit.framework/Versions/A/WebKit:x86_64+0x27ab121) #35 0x21a7ad0a8 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>, std::__1::integer_sequence<unsigned long, 0ul> >(std::__1::tuple<WebCore::NetworkLoadMetrics>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&))+0x28 (WebKit.framework/Versions/A/WebKit:x86_64+0x27ab0a8) #36 0x21a7aab16 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&))+0x146 (WebKit.framework/Versions/A/WebKit:x86_64+0x27a8b16) #37 0x21a7aa123 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&)+0x1a3 (WebKit.framework/Versions/A/WebKit:x86_64+0x27a8123) #38 0x21a0bfc0a in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0xfa (WebKit.framework/Versions/A/WebKit:x86_64+0x20bdc0a) #39 0x2180a5b93 in IPC::Connection::dispatchMessage(IPC::Decoder&)+0x293 (WebKit.framework/Versions/A/WebKit:x86_64+0xa3b93) #40 0x2180a7507 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)+0x167 (WebKit.framework/Versions/A/WebKit:x86_64+0xa5507) #41 0x2180a8026 in IPC::Connection::dispatchOneIncomingMessage()+0x196 (WebKit.framework/Versions/A/WebKit:x86_64+0xa6026) #42 0x2180c65f5 in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_8::operator()()+0x35 (WebKit.framework/Versions/A/WebKit:x86_64+0xc45f5) #43 0x2180c655c in WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_8, void>::call()+0xc (WebKit.framework/Versions/A/WebKit:x86_64+0xc455c) #44 0x2472725ce in WTF::Function<void ()>::operator()() const+0x3e (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x385ce) #45 0x24730ba28 in WTF::RunLoop::performWork()+0x228 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xd1a28) #46 0x24730ed45 in WTF::RunLoop::performWork(void*)+0xb5 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xd4d45) <rdar://problem/72094069>
Attachments
Test (47 bytes, text/html)
2021-01-06 17:16 PST, Ryosuke Niwa
no flags
Patch (3.12 KB, patch)
2021-01-12 01:14 PST, Rob Buis
no flags
Rob Buis
Comment 1 2021-01-11 12:03:12 PST
This should be simple to fix: --- a/Source/WebCore/css/SelectorChecker.cpp +++ b/Source/WebCore/css/SelectorChecker.cpp @@ -1143,7 +1143,7 @@ bool SelectorChecker::checkOne(CheckingContext& checkingContext, const LocalCont // Always matches when not specifically requested so it gets added to the pseudoIdSet. if (checkingContext.pseudoId == PseudoId::None) return true; - if (checkingContext.pseudoId != PseudoId::Highlight) + if (checkingContext.pseudoId != PseudoId::Highlight || !selector.argumentList()) return false; return selector.argumentList()->first() == checkingContext.nameForHightlightPseudoElement; I'll make a patch tomorrow. It does not look like a security bug to me.
Rob Buis
Comment 2 2021-01-12 01:14:22 PST
Ryosuke Niwa
Comment 3 2021-01-12 20:19:41 PST
Looks like this is not a security issue?
Rob Buis
Comment 4 2021-01-12 22:12:28 PST
(In reply to Ryosuke Niwa from comment #3) > Looks like this is not a security issue? Indeed, AFAICS this is not a security issue.
EWS
Comment 5 2021-01-13 13:04:17 PST
Committed r271451: <https://trac.webkit.org/changeset/271451> All reviewed patches have been landed. Closing bug and clearing flags on attachment 417440 [details].
Note You need to log in before you can comment on or make changes to this bug.