Permalink
Show file tree
Hide file tree
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
[iOS] nullptr deref in FileInputType::iconLoaded when the input's typ…
…e attribute is modified by a change event listener https://bugs.webkit.org/show_bug.cgi?id=208244 <rdar://problem/41855350> Reviewed by Wenson Hsieh. Source/WebCore: When an <input> element's type attribute changes, its existing InputType is detached from the HTMLInputElement by nulling InputType::m_element. When FileInputType::filesChosen is called, it dispatches the input and change events, which can run arbitrary JavaScript that might modify the element's type attribute. If this happens, FileInputType::m_element will be null after returning from FileInputType::setFiles and if there is an icon will be dereferenced by FileInputType::iconLoaded. Fixed this by checking for a non-null m_element before calling iconLoaded. While here, also fixed a bug where we sometimes checked the length of m_fileList before FileListCreator had finished setting m_fileList. This bug resulted in missing file icons whenever an <input type=file> had the webkitdirectory attribute. Tests: fast/forms/file/file-input-type-detached-on-change.html fast/forms/file/file-input-webkitdirectory-icon.html * html/FileInputType.cpp: (WebCore::FileInputType::filesChosen): Tools: * DumpRenderTree/TestRunner.cpp: (SetOpenPanelFilesMediaIconCallback): (TestRunner::staticFunctions): * WebKitTestRunner/InjectedBundle/TestRunner.cpp: (WTR::TestRunner::setOpenPanelFilesMediaIcon): LayoutTests: * fast/forms/file/file-input-type-detached-on-change-expected.txt: Added. * fast/forms/file/file-input-type-detached-on-change.html: Added. * fast/forms/file/file-input-webkitdirectory-icon-expected.html: Added. * fast/forms/file/file-input-webkitdirectory-icon.html: Added. * fast/forms/file/file-reset-in-change-using-open-panel-with-icon.html: * fast/forms/file/open-file-panel-crash.html: * fast/forms/file/resources/file-icon-bytes.js: Added. Canonical link: https://commits.webkit.org/225874@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@262918 268f45cc-cd09-0410-ab3c-d52691b4dbfc
- Loading branch information
Showing
14 changed files
with
210 additions
and
25 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @@ -0,0 +1,11 @@ | ||
| OPEN FILE PANEL | ||
| Changing an input element's type attribute in the change event should not cause a crash. To test manually, activate the file input and choose a file. | ||
|
|
||
| On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". | ||
|
|
||
|
|
||
| PASS Did not crash. | ||
| PASS successfullyParsed is true | ||
|
|
||
| TEST COMPLETE | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @@ -0,0 +1,31 @@ | ||
| <!DOCTYPE html> | ||
| <html> | ||
| <head> | ||
| <script src=../../../resources/js-test-pre.js></script> | ||
| <script src=../../../resources/ui-helper.js></script> | ||
| <script src=resources/file-icon-bytes.js></script> | ||
| </head> | ||
| <body> | ||
| <input type=file> | ||
| <script> | ||
| jsTestIsAsync = true; | ||
| description("Changing an input element's type attribute in the change event should not cause a crash. To test manually, activate the file input and choose a file."); | ||
|
|
||
| const fileInput = document.querySelector('input[type=file]'); | ||
| fileInput.addEventListener('change', () => { | ||
| fileInput.type = ''; | ||
| setTimeout(() => { | ||
| testPassed('Did not crash.'); | ||
| finishJSTest(); | ||
| }, 0); | ||
| }); | ||
|
|
||
| if (window.testRunner) { | ||
| testRunner.setOpenPanelFiles(['foo.txt']); | ||
| testRunner.setOpenPanelFilesMediaIcon(testIconBytes); | ||
| UIHelper.activateElement(fileInput); | ||
| } | ||
| </script> | ||
| <script src=../../../resources/js-test-post.js></script> | ||
| </body> | ||
| </html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @@ -0,0 +1,31 @@ | ||
| <!DOCTYPE html> | ||
| <html> | ||
| <script src=../../../resources/ui-helper.js></script> | ||
| <script src=resources/file-icon-bytes.js></script> | ||
| <head> | ||
| </head> | ||
| <body> | ||
| <input type=file> | ||
| <script> | ||
| (async () => { | ||
| if (!window.testRunner) | ||
| return; | ||
|
|
||
| testRunner.waitUntilDone(); | ||
| testRunner.setOpenPanelFiles(['foo.txt']); | ||
| testRunner.setOpenPanelFilesMediaIcon(testIconBytes); | ||
|
|
||
| let fileInput = document.querySelector('input[type=file]'); | ||
| let fileInputChangePromise = new Promise((resolve) => { | ||
| fileInput.addEventListener('change', resolve); | ||
| }); | ||
|
|
||
| await UIHelper.activateElement(fileInput); | ||
| await fileInputChangePromise; | ||
| await UIHelper.activateElement(document.body); | ||
|
|
||
| setTimeout(() => testRunner.notifyDone(), 0); | ||
| })(); | ||
| </script> | ||
| </body> | ||
| </html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @@ -0,0 +1,31 @@ | ||
| <!DOCTYPE html> | ||
| <html> | ||
| <script src=../../../resources/ui-helper.js></script> | ||
| <script src=resources/file-icon-bytes.js></script> | ||
| <head> | ||
| </head> | ||
| <body> | ||
| <input type=file webkitdirectory> | ||
| <script> | ||
| (async () => { | ||
| if (!window.testRunner) | ||
| return; | ||
|
|
||
| testRunner.waitUntilDone(); | ||
| testRunner.setOpenPanelFiles(['foo.txt']); | ||
| testRunner.setOpenPanelFilesMediaIcon(testIconBytes); | ||
|
|
||
| let fileInput = document.querySelector('input[type=file]'); | ||
| let fileInputChangePromise = new Promise((resolve) => { | ||
| fileInput.addEventListener('change', resolve); | ||
| }); | ||
|
|
||
| await UIHelper.activateElement(fileInput); | ||
| await fileInputChangePromise; | ||
| await UIHelper.activateElement(document.body); | ||
|
|
||
| setTimeout(() => testRunner.notifyDone(), 0); | ||
| })(); | ||
| </script> | ||
| </body> | ||
| </html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @@ -0,0 +1,33 @@ | ||
| (() => { | ||
|
|
||
| // Icon is configured manually to avoid ObjC calls from C++ code | ||
| testIconBytes = new Uint8Array([255, 216, 255, 224, 0, 16, 74, 70, 73, 70, 0, 1, 1, 1, 0, 96, 0, 96, | ||
| 0, 0, 255, 219, 0, 67, 0, 8, 6, 6, 7, 6, 5, 8, 7, 7, 7, 9, 9, 8, 10, 12, 20, 13, 12, 11, 11, 12, | ||
| 25, 18, 19, 15, 20, 29, 26, 31, 30, 29, 26, 28, 28, 32, 36, 46, 39, 32, 34, 44, 35, 28, 28, 40, | ||
| 55, 41, 44, 48, 49, 52, 52, 52, 31, 39, 57, 61, 56, 50, 60, 46, 51, 52, 50, 255, 219, 0, 67, 1, | ||
| 9, 9, 9, 12, 11, 12, 24, 13, 13, 24, 50, 33, 28, 33, 50, 50, 50, 50, 50, 50, 50, 50, 50, 50, 50, | ||
| 50, 50, 50, 50, 50, 50, 50, 50, 50, 50, 50, 50, 50, 50, 50, 50, 50, 50, 50, 50, 50, 50, 50, 50, | ||
| 50, 50, 50, 50, 50, 50, 50, 50, 50, 50, 50, 50, 50, 50, 50, 255, 192, 0, 17, 8, 0, 1, 0, 1, 3, | ||
| 1, 34, 0, 2, 17, 1, 3, 17, 1, 255, 196, 0, 31, 0, 0, 1, 5, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, | ||
| 0, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 255, 196, 0, 181, 16, 0, 2, 1, 3, 3, 2, 4, 3, 5, 5, 4, | ||
| 4, 0, 0, 1, 125, 1, 2, 3, 0, 4, 17, 5, 18, 33, 49, 65, 6, 19, 81, 97, 7, 34, 113, 20, 50, 129, | ||
| 145, 161, 8, 35, 66, 177, 193, 21, 82, 209, 240, 36, 51, 98, 114, 130, 9, 10, 22, 23, 24, 25, | ||
| 26, 37, 38, 39, 40, 41, 42, 52, 53, 54, 55, 56, 57, 58, 67, 68, 69, 70, 71, 72, 73, 74, 83, 84, | ||
| 85, 86, 87, 88, 89, 90, 99, 100, 101, 102, 103, 104, 105, 106, 115, 116, 117, 118, 119, 120, | ||
| 121, 122, 131, 132, 133, 134, 135, 136, 137, 138, 146, 147, 148, 149, 150, 151, 152, 153, 154, | ||
| 162, 163, 164, 165, 166, 167, 168, 169, 170, 178, 179, 180, 181, 182, 183, 184, 185, 186, 194, | ||
| 195, 196, 197, 198, 199, 200, 201, 202, 210, 211, 212, 213, 214, 215, 216, 217, 218, 225, 226, | ||
| 227, 228, 229, 230, 231, 232, 233, 234, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 255, | ||
| 196, 0, 31, 1, 0, 3, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, | ||
| 11, 255, 196, 0, 181, 17, 0, 2, 1, 2, 4, 4, 3, 4, 7, 5, 4, 4, 0, 1, 2, 119, 0, 1, 2, 3, 17, 4, | ||
| 5, 33, 49, 6, 18, 65, 81, 7, 97, 113, 19, 34, 50, 129, 8, 20, 66, 145, 161, 177, 193, 9, 35, 51, | ||
| 82, 240, 21, 98, 114, 209, 10, 22, 36, 52, 225, 37, 241, 23, 24, 25, 26, 38, 39, 40, 41, 42, 53, | ||
| 54, 55, 56, 57, 58, 67, 68, 69, 70, 71, 72, 73, 74, 83, 84, 85, 86, 87, 88, 89, 90, 99, 100, | ||
| 101, 102, 103, 104, 105, 106, 115, 116, 117, 118, 119, 120, 121, 122, 130, 131, 132, 133, 134, | ||
| 135, 136, 137, 138, 146, 147, 148, 149, 150, 151, 152, 153, 154, 162, 163, 164, 165, 166, 167, | ||
| 168, 169, 170, 178, 179, 180, 181, 182, 183, 184, 185, 186, 194, 195, 196, 197, 198, 199, 200, | ||
| 201, 202, 210, 211, 212, 213, 214, 215, 216, 217, 218, 226, 227, 228, 229, 230, 231, 232, 233, | ||
| 234, 242, 243, 244, 245, 246, 247, 248, 249, 250, 255, 218, 0, 12, 3, 1, 0, 2, 17, 3, 17, 0, 63, | ||
| 0, 247, 250, 40, 162, 128, 63, 255, 217]); | ||
|
|
||
| })(); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.