RESOLVED FIXED 249862
VisibleSelection::nonBoundaryShadowTreeRootNode should return null when its anchor is a shadow root 
https://bugs.webkit.org/show_bug.cgi?id=249862
Summary VisibleSelection::nonBoundaryShadowTreeRootNode should return null when its a...
Ahmad Saleem
Reported 2022-12-24 02:50:09 PST
Hi Team, Just going through Blink, I came across another Heap-use-after-free bug, which is not fixed while it was fixed in Chrome / Blink. I don't know whether it is applicable for WebKit or not or we have other fixes, which render it useless but I just wanted to raise it behind curtain to get input. I have already messaged rniwa on Slack to get his input. Blink Commit - https://src.chromium.org/viewvc/blink?view=revision&revision=188788 WebKit Source - https://github.com/WebKit/WebKit/blob/8174a9300cd8edff3c4fc20f5c8d62cd4fa927a9/Source/WebCore/editing/VisibleSelection.cpp#L687 Just wanted to raise it so WebKit can be more awesome. Thanks!
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-12-24 02:50:20 PST
<rdar://problem/103683388>
Ryosuke Niwa
Comment 2 2023-01-05 01:57:43 PST
We've mitigated this in some other way.
Chris Dumez
Comment 3 2023-08-01 09:42:04 PDT
Even though we don't have a security bug here. The Blink test case still hits an assertion in our code in debug and our selection behavior differs from Chrome and Firefox. We probably still want to cherry-pick the fix.
Chris Dumez
Comment 4 2023-08-01 09:47:25 PDT
Pull request: https://github.com/WebKit/WebKit/pull/16274
EWS
Comment 5 2023-08-01 21:21:17 PDT
Committed 266505@main (786e20b52145): <https://commits.webkit.org/266505@main> Reviewed commits have been landed. Closing PR #16274 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.