Bug 227173 - Crash in SharedBuffer::data
Summary: Crash in SharedBuffer::data
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: XML (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Rob Buis
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-06-18 11:33 PDT by Ali Juma
Modified: 2021-06-29 02:39 PDT (History)
15 users (show)

See Also:

Attachments
Minimized test case (671 bytes, text/html)
2021-06-18 11:33 PDT, Ali Juma 		no flags Details
Patch (1.19 KB, patch)
2021-06-26 12:34 PDT, Rob Buis 		no flags Details | Formatted Diff | Diff
Patch (3.40 KB, patch)
2021-06-27 00:40 PDT, Rob Buis 		no flags Details | Formatted Diff | Diff
Patch (3.49 KB, patch)
2021-06-29 01:37 PDT, Rob Buis 		no flags Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ali Juma 2021-06-18 11:33:59 PDT 
Created attachment 431782 [details]
Minimized test case

Filing this as a security bug since it was found using a fuzzer; there's no disclosure deadline for this bug.

This reproduces in an ASan build of WebKitTestRunner.

Stack:
=================================================================
==61712==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x000116559c32 bp 0x7ffeee5b32a0 sp 0x7ffeee5b32a0 T0)
==61712==The signal is caused by a READ memory access.
==61712==Hint: address points to the zero page.
    #0 0x116559c31 in WTF::Vector<WebCore::SharedBuffer::DataSegmentVectorEntry, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::size() const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x1ee4c31)
    #1 0x1190dd218 in WTF::Vector<WebCore::SharedBuffer::DataSegmentVectorEntry, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::isEmpty() const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4a68218)
    #2 0x1190dd1d5 in WebCore::SharedBuffer::data() const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4a681d5)
    #3 0x11a6c42dd in WebCore::openFunc(char const*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x604f2dd)
    #4 0x7fff66c34880 in __xmlParserInputBufferCreateFilename (/usr/lib/libxml2.2.dylib:x86_64+0x75880)
    #5 0x7fff66c0b6e6 in xmlNewInputFromFile (/usr/lib/libxml2.2.dylib:x86_64+0x4c6e6)
    #6 0x7fff66c352f4 in xmlDefaultExternalEntityLoader (/usr/lib/libxml2.2.dylib:x86_64+0x762f4)
    #7 0x7fff66c3503b in xmlLoadExternalEntity (/usr/lib/libxml2.2.dylib:x86_64+0x7603b)
    #8 0x7fff66c1b46f in xmlSAX2ResolveEntity (/usr/lib/libxml2.2.dylib:x86_64+0x5c46f)
    #9 0x7fff66bc8a29 in xmlSAX2ExternalSubset (/usr/lib/libxml2.2.dylib:x86_64+0x9a29)
    #10 0x7fff66bdc7e7 in xmlParseDocument (/usr/lib/libxml2.2.dylib:x86_64+0x1d7e7)
    #11 0x7fff66bdc44b in xmlDoRead (/usr/lib/libxml2.2.dylib:x86_64+0x1d44b)
    #12 0x11a6c23cd in WebCore::xmlDocPtrForString(WebCore::CachedResourceLoader&, WTF::String const&, WTF::String const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x604d3cd)
    #13 0x11a6b2eaf in WebCore::xmlDocPtrFromNode(WebCore::Node&, bool&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x603deaf)
    #14 0x11a6b16a9 in WebCore::XSLTProcessor::transformToString(WebCore::Node&, WTF::String&, WTF::String&, WTF::String&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x603c6a9)
    #15 0x11a6b12e0 in WebCore::XSLTProcessor::transformToDocument(WebCore::Node*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x603c2e0)
    #16 0x1163cf4b0 in WebCore::jsXSLTProcessorPrototypeFunction_transformToDocumentBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSXSLTProcessor*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x1d5a4b0)
    #17 0x1163cf20b in long long WebCore::IDLOperation<WebCore::JSXSLTProcessor>::call<&(WebCore::jsXSLTProcessorPrototypeFunction_transformToDocumentBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSXSLTProcessor*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x1d5a20b)
    #18 0x4736b48011d7  (<unknown module>)
    #19 0x1331045af in llint_entry (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc595af)
    #20 0x1330e93e8 in vmEntryToJavaScript (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc3e3e8)
    #21 0x1349086a2 in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x245d6a2)
    #22 0x135206fbd in JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2d5bfbd)
    #23 0x135207267 in JSC::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2d5c267)
    #24 0x11758d629 in WebCore::JSExecState::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x2f18629)
    #25 0x11758ce29 in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x2f17e29)
    #26 0x11758ca1d in WebCore::ScriptController::evaluateInWorldIgnoringException(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x2f17a1d)
    #27 0x117eb568b in WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x384068b)
    #28 0x117eb2d99 in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x383dd99)
    #29 0x11861c34e in WebCore::HTMLScriptRunner::runScript(WebCore::ScriptElement&, WTF::TextPosition const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3fa734e)
    #30 0x11861c024 in WebCore::HTMLScriptRunner::execute(WTF::Ref<WebCore::ScriptElement, WTF::RawPtrTraits<WebCore::ScriptElement> >&&, WTF::TextPosition const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3fa7024)
    #31 0x1185fda59 in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3f88a59)
    #32 0x1185fe0c3 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3f890c3)
    #33 0x1185fd13b in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3f8813b)
    #34 0x1185ff048 in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl, WTF::RawPtrTraits<WTF::StringImpl>, WTF::DefaultRefDerefTraits<WTF::StringImpl> >&&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3f8a048)
    #35 0x117c795e5 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x36045e5)
    #36 0x118aed5eb in WebCore::DocumentWriter::end() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x44785eb)
    #37 0x118aec1b6 in WebCore::DocumentLoader::finishedLoading() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x44771b6)
    #38 0x118aeb9e4 in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x44769e4)
    #39 0x118cbcfaf in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4647faf)
    #40 0x118cb8eb8 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4643eb8)
    #41 0x118c2d482 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x45b8482)
    #42 0x106d6e7cf in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x23a87cf)
    #43 0x107488020 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x2ac2020)
    #44 0x107487677 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x2ac1677)
    #45 0x106d31a6a in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x236ba6a)
    #46 0x104a59989 in IPC::Connection::dispatchMessage(IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x93989)
    #47 0x104a5a3bc in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x943bc)
    #48 0x104a5af84 in IPC::Connection::dispatchOneIncomingMessage() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x94f84)
    #49 0x132583e5c in WTF::RunLoop::performWork() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xd8e5c)
    #50 0x132587575 in WTF::RunLoop::performWork(void*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xdc575)
    #51 0x7fff2d644883 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x84883)
    #52 0x7fff2d644822 in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x84822)
    #53 0x7fff2d64463c in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x8463c)
    #54 0x7fff2d643358 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x83358)
    #55 0x7fff2d642952 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x82952)
    #56 0x7fff2fd001c7 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x601c7)
    #57 0x7fff2fdb2c6e in -[NSRunLoop(NSRunLoop) run] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x112c6e)
    #58 0x7fff679ff4e9 in _xpc_objc_main.cold.4 (/usr/lib/system/libxpc.dylib:x86_64+0x164e9)
    #59 0x7fff679ff42f in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x1642f)
    #60 0x7fff679fef62 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0x15f62)
    #61 0x105a25743 in WebKit::XPCServiceMain(int, char const**) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x105f743)
    #62 0x7fff677adcc8 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1acc8)
==61712==Register values:
rax = 0x0000000000000000  rbx = 0x0000000000000000  rcx = 0x0000100000000003  rdx = 0x0000000000000000
rdi = 0x000000000000001c  rsi = 0x0000000000000018  rbp = 0x00007ffeee5b32a0  rsp = 0x00007ffeee5b32a0
 r8 = 0x0000200000000000   r9 = 0x00000fffffffffff  r10 = 0x0000000000000000  r11 = 0xffffffffffffffff
r12 = 0x00006030000b4880  r13 = 0x00001fffddcb66a4  r14 = 0x0000000000000010  r15 = 0x00001fffddcb665c
=====================================
Clusterfuzz-id: 5702605551239168
Comment 1 Radar WebKit Bug Importer 2021-06-18 11:34:17 PDT 
<rdar://problem/79509903>
Comment 2 Rob Buis 2021-06-26 12:34:53 PDT 
Created attachment 432333 [details]
Patch
Comment 3 Ryosuke Niwa 2021-06-26 13:44:50 PDT 
Comment on attachment 432333 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=432333&action=review

> Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:493
> +    if (!data)
> +        return new OffsetBuffer({ });

Hm... it looks like we want to be returning &globalDescriptor instead in these early exits?
Comment 4 Rob Buis 2021-06-26 14:05:41 PDT 
Comment on attachment 432333 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=432333&action=review

>> Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:493
>> +        return new OffsetBuffer({ });
> 
> Hm... it looks like we want to be returning &globalDescriptor instead in these early exits?

I am no XSLT expert, but I think what causes the null data is the fact the xslt sheet is empty, and I assumed that is not an error. Then again there may be cases where null data hints at an error? I am fine either way, will add a test case tomorrow since this does not seem to be a security problem.
Comment 5 Rob Buis 2021-06-27 00:40:26 PDT 
Created attachment 432347 [details]
Patch
Comment 6 Ryosuke Niwa 2021-06-27 13:39:22 PDT 
Comment on attachment 432347 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=432347&action=review

> Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:494
> +    if (!data)
> +        return &globalDescriptor;
> +

Is the difference between returning empty OffsetBuffer vs returning globalDescriptor observable to scripts?
If so, what do other browsers do?
Comment 7 Rob Buis 2021-06-28 02:52:27 PDT 
Comment on attachment 432347 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=432347&action=review

>> Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:494
>> +
> 
> Is the difference between returning empty OffsetBuffer vs returning globalDescriptor observable to scripts?
> If so, what do other browsers do?

I do not think so, either way the returned document is:
<html xmlns="http://www.w3.org/1999/xhtml"><body><parsererror style="display: block; white-space: pre; border: 2px solid #c77; padding: 0 1em 0 1em; margin: 1em; background-color: #fdd; color: black"><h3>This page contains the following errors:</h3><div style="font-family:monospace;font-size:12px">error on line 1 at column 1: Document is empty
</div><h3>Below is a rendering of the page up to the first error.</h3></parsererror></body></html>

There is a difference in behaviour in closeFunc. closeFunc cleans up the context/data if it is not equal to globalDescriptor, in our case it is more efficient to not allocate the OffsetBuffer in the first place though, so I think returning globalDescriptor is the best option.
Comment 8 Ryosuke Niwa 2021-06-28 14:01:30 PDT 
Comment on attachment 432347 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=432347&action=review

> Source/WebCore/ChangeLog:3
> +        Null check data in openFunc

Please make this patch the bug title.

> LayoutTests/ChangeLog:3
> +        Null check data in openFunc

Ditto.

> LayoutTests/fast/xsl/xslt-transformToDocument-crash.html:6
> +  var processor = new XSLTProcessor();

Use const here and the rest of variable declarations?
Comment 9 Rob Buis 2021-06-29 01:37:26 PDT 
Created attachment 432459 [details]
Patch
Comment 10 EWS 2021-06-29 02:39:07 PDT 
Committed r279370 (239236@main): <https://commits.webkit.org/239236@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 432459 [details].