InsertParagraph command crashes with ill-formed DOM tree |
|||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6112190984880128 Fuzzer: inferno_layout_test_unmodified Job Type: windows_asan_chrome_no_sandbox Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x00000000 Crash State: blink::EditingIgnoresContent blink::InsertParagraphSeparatorCommand::DoApply blink::CompositeEditCommand::ApplyCommandToComposite Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=456190:456233 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6112190984880128 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Sep 16 2017
,
Sep 18 2017
,
Sep 25 2017
,
Oct 1 2017
Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.
,
Oct 1 2017
,
Oct 2 2017
The NextAction date has arrived: 2017-10-02
,
Oct 3 2017
Minimized repro:
<html style="user-select:none">
<table contenteditable></table>
<script>
document.querySelector('table').innerHTML = '<h1>foo</h1><img>bar';
let bar = document.querySelector('img').nextSibling;
getSelection().collapse(bar, 3);
document.execCommand('insertParagraph');
</script>
Crashes when 'insertParagraph' with ill-formed DOM:
BODY
TABLE (editable) (focused)
H1 (editable)
#text "foo"
IMG (editable)
BE #text "bar"
base: offsetInAnchor[3]
extent: offsetInAnchor[3]
,
Oct 3 2017
Lowering to Pri-3 since the bug repros only with ill-formed DOM tree, in which case a null-deref isn't very harmful. The crash reason is that, at L469 of InsertParagraphSeparatorCommand.cpp, |insert_position| is unexpectedly null. The edit command should abort here before calling EditingIgnoresContent(*insertion_position.AnchorNode()). Routing back to editing team to create the patch as I'm working on something else...
,
Oct 3 2017
,
Oct 9 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/886107a6b1911f6df1054f1041207a5a6368b018 commit 886107a6b1911f6df1054f1041207a5a6368b018 Author: tanvir.rizvi <tanvir.rizvi@samsung.com> Date: Mon Oct 09 15:32:46 2017 InsertParagraph command crashes with illformed tree On a user-select:none container, InsertParagraph on a non selectable element like <img> boundary causes crash as canonicalized position for this comes as null. This CL does a safety check for the visible position to avoid the crash. Bug: 765718 Change-Id: Ifb9575396e91d46fdf9841a9568df4462e914f2c Reviewed-on: https://chromium-review.googlesource.com/704496 Commit-Queue: Tanvir Rizvi <tanvir.rizvi@samsung.com> Reviewed-by: Xiaocheng Hu <xiaochengh@chromium.org> Cr-Commit-Position: refs/heads/master@{#507380} [add] https://crrev.com/886107a6b1911f6df1054f1041207a5a6368b018/third_party/WebKit/LayoutTests/editing/inserting/insertparagraph-seperator-on-non-selectable-node.html [modify] https://crrev.com/886107a6b1911f6df1054f1041207a5a6368b018/third_party/WebKit/Source/core/editing/commands/InsertParagraphSeparatorCommand.cpp
,
Oct 10 2017
ClusterFuzz has detected this issue as fixed in range 507375:507388. Detailed report: https://clusterfuzz.com/testcase?key=6112190984880128 Fuzzer: inferno_layout_test_unmodified Job Type: windows_asan_chrome_no_sandbox Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x00000000 Crash State: blink::EditingIgnoresContent blink::InsertParagraphSeparatorCommand::DoApply blink::CompositeEditCommand::ApplyCommandToComposite Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=456190:456233 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=507375:507388 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6112190984880128 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 10 2017
ClusterFuzz testcase 6112190984880128 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by msrchandra@chromium.org
, Sep 15 2017Components: Blink>Editing
Labels: Test-Predator-Wrong M-63
Owner: xiaoche...@chromium.org
Status: Assigned (was: Untriaged)