[Webkit-unassigned] [Bug 65015] New: Range can contain NULL node, which is not handled correctly

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jul 22 00:41:28 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=65015

           Summary: Range can contain NULL node, which is not handled
                    correctly
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: HTML DOM
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: eric at webkit.org


Created an attachment (id=101702)
 --> (https://bugs.webkit.org/attachment.cgi?id=101702&action=review)
Repro

Chromium: https://code.google.com/p/chromium/issues/detail?id=90147

Repro:
<body onload="go()"></body>
<script>
  function go() {
    var oBodyImported = document.importNode(document.body,false);
    document.body.appendChild(oBodyImported);
    var oRange1 = document.createRange();
    var oRange2 = document.createRange();
    document.body=document.activeElement;
    var oDocumentFragment = document.createDocumentFragment();
    oRange1.setStartBefore(oBodyImported);
    oRange1.insertNode(oDocumentFragment);
    oRange2.setStart(document.body,0);
    oRange2.surroundContents(oBodyImported);
    ''+oRange1;
  }
</script>

The range oRange1 ends up containing a NULL node, among valid nodes. This is probably not supposed to happen, as some of the range's methods that access the nodes do not handle this correctly. In the repro, we end up executing this code:

String Range::toString(ExceptionCode& ec) const
{
    if (!m_start.container()) {
        ec = INVALID_STATE_ERR;
        return String();
    }

    StringBuilder builder;

    Node* pastLast = pastLastNode();
    for (Node* n = firstNode(); n != pastLast; n = n->traverseNextNode()) {
        if (n->nodeType() == Node::TEXT_NODE || n->nodeType() == Node::CDATA_SECTION_NODE) {
            String data = static_cast<CharacterData*>(n)->data();
            int length = data.length();
            int start = (n == m_start.container()) ? min(max(0, m_start.offset()), length) : 0;
            int end = (n == m_end.container()) ? min(max(start, m_end.offset()), length) : length;
            builder.append(data.characters() + start, end - start);
        }
    }

    return builder.toString();
}

"n" goes through the nodes, which includes the NULL node. This causes a NULL ptr when the code tries to access n->nodeType(). The fact that the code loops through the nodes using n->traverseNextNode() signals that NULL nodes are probably not supposed to be part of a range.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list