NEW 248698
ASSERTION FAILED: positionOffset <= node->length() 
https://bugs.webkit.org/show_bug.cgi?id=248698
Summary ASSERTION FAILED: positionOffset <= node->length()
Ahmad Saleem
Reported 2022-12-02 17:25:27 PST
Hi Team, I am not sure whether we have any security implication because of this or not but in Blink, it was deemed as security and had even reward associated with it. So I am raising it as Security as well here, if it is not an issue, please ignore: Blink Commit - https://src.chromium.org/viewvc/blink?view=revision&revision=189274 Webkit GitHub Source - https://github.com/WebKit/WebKit/blob/6d72ef261e4ac4407332fa74197a5c58a554904c/Source/WebCore/editing/FrameSelection.cpp#L677 Chrome Bug - https://bugs.chromium.org/p/chromium/issues/detail?id=383777 Appreciate if someone can have a look and if needed then do due process to fix this. Thanks!
Attachments
Test case (309 bytes, text/html)
2022-12-06 23:04 PST, Ryosuke Niwa 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-12-02 17:25:39 PST
<rdar://problem/102924216>
Ryosuke Niwa
Comment 2 2022-12-06 23:02:36 PST
I'm pretty sure this isn't a real security bug as noted in this comment: https://bugs.chromium.org/p/chromium/issues/detail?id=383777#c67
Ryosuke Niwa
Comment 3 2022-12-06 23:04:17 PST
Created attachment 463914 [details] Test case
Ryosuke Niwa
Comment 4 2022-12-06 23:05:27 PST
Hm... we're hitting this assertion in TextIterator.cpp: ASSERT(targetLocation - location <= downcast<Text>(textRunRange.start.container.get()).length()); So this could be arbitrary read gadget.
Ryosuke Niwa
Comment 5 2022-12-06 23:39:34 PST
No ASAN failures, however.
Ryosuke Niwa
Comment 6 2022-12-07 00:40:12 PST
I'm pretty sure this is just an assertion failure.
Ryosuke Niwa
Comment 7 2022-12-07 00:50:03 PST
Pull request: https://github.com/WebKit/WebKit/pull/7251
Note You need to log in before you can comment on or make changes to this bug.