[Cocoa] Calling -regularFileContents on a directory NSFileWrapper crashes the web content process by kmonsen · Pull Request #63020 · WebKit/WebKit

kmonsen · 2026-04-18T02:05:59Z

`dad1793`

[Cocoa] Calling -regularFileContents on a directory NSFileWrapper crashes the web content process
https://bugs.webkit.org/show_bug.cgi?id=312594
rdar://174642216

Reviewed by Ryosuke Niwa.

When copying content containing an <img> element whose resolved URL points to a directory (e.g. srcset="."), WebKit
can end up with a directory-backed NSFileWrapper. Calling -regularFileContents on such a wrapper raises an
NSInvalidArgumentException. Because the exception unwinds through C++ stack frames in HTMLConverter and
AttributedString, it is not caught and terminates the web content process.

Fix by guarding both -regularFileContents call sites with -isRegularFile before extracting attachment data. The
preferredFilename and other metadata are still read regardless of file type.

Test: Tools/TestWebKitAPI/Tests/WebKit/WKWebView/CopyRTF.mm

* Source/WebCore/editing/cocoa/AttributedString.mm:
(WebCore::extractValue):
* Source/WebCore/editing/cocoa/NodeHTMLConverter.mm:
(HTMLConverter::_addAttachmentForElement):
* Tools/TestWebKitAPI/Tests/WebKit/WKWebView/CopyRTF.mm:
(TEST(CopyRTF, DoesNotCrashWithDirectoryFileWrapperFromImageSrcset)):

Canonical link: https://commits.webkit.org/311610@main

704d7a1

Misc	iOS, visionOS, tvOS & watchOS	macOS	Linux	Windows	Apple Internal
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	✅ 🛠 win	⏳ 🛠 ios-apple
✅ 🧪 bindings	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	✅ 🧪 wpe-wk2	❌ 🧪 win-tests	⏳ 🛠 mac-apple
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🧪 api-wpe		⏳ 🛠 vision-apple
	✅ 🧪 ios-wk2-wpt	✅ 🧪 api-mac-debug	✅ 🛠 gtk3-libwebrtc
	✅ 🧪 api-ios	✅ 🧪 mac-wk1	✅ 🛠 gtk
	✅ 🛠 ios-safer-cpp	✅ 🧪 mac-wk2	✅ 🧪 gtk-wk2
	✅ 🛠 vision	✅ 🧪 mac-AS-debug-wk2	✅ 🧪 api-gtk
✅ 🛠 🧪 merge	✅ 🛠 vision-sim	✅ 🧪 mac-wk2-stress	✅ 🛠 playstation
	✅ 🧪 vision-wk2	✅ 🧪 mac-intel-wk2
	✅ 🛠 tv	✅ 🛠 mac-safer-cpp
	✅ 🛠 tv-sim
	✅ 🛠 watch
	✅ 🛠 watch-sim

webkit-early-warning-system · 2026-04-18T02:06:05Z

EWS run on current version of this PR (hash 704d7a1)

Details

Misc	iOS, visionOS, tvOS & watchOS	macOS	Linux	Windows	Apple Internal
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	✅ 🛠 win	⏳ 🛠 ios-apple
✅ 🧪 bindings	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	✅ 🧪 wpe-wk2	❌ 🧪 win-tests	⏳ 🛠 mac-apple
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🧪 api-wpe		⏳ 🛠 vision-apple
	✅ 🧪 ios-wk2-wpt	✅ 🧪 api-mac-debug	✅ 🛠 gtk3-libwebrtc
	✅ 🧪 api-ios	✅ 🧪 mac-wk1	✅ 🛠 gtk
	✅ 🛠 ios-safer-cpp	✅ 🧪 mac-wk2	✅ 🧪 gtk-wk2
	✅ 🛠 vision	✅ 🧪 mac-AS-debug-wk2	✅ 🧪 api-gtk
✅ 🛠 🧪 merge	✅ 🛠 vision-sim	✅ 🧪 mac-wk2-stress	✅ 🛠 playstation
	✅ 🧪 vision-wk2	✅ 🧪 mac-intel-wk2
	✅ 🛠 tv	✅ 🛠 mac-safer-cpp
	✅ 🛠 tv-sim
	✅ 🛠 watch
	✅ 🛠 watch-sim

…shes the web content process https://bugs.webkit.org/show_bug.cgi?id=312594 rdar://174642216 Reviewed by Ryosuke Niwa. When copying content containing an <img> element whose resolved URL points to a directory (e.g. srcset="."), WebKit can end up with a directory-backed NSFileWrapper. Calling -regularFileContents on such a wrapper raises an NSInvalidArgumentException. Because the exception unwinds through C++ stack frames in HTMLConverter and AttributedString, it is not caught and terminates the web content process. Fix by guarding both -regularFileContents call sites with -isRegularFile before extracting attachment data. The preferredFilename and other metadata are still read regardless of file type. Test: Tools/TestWebKitAPI/Tests/WebKit/WKWebView/CopyRTF.mm * Source/WebCore/editing/cocoa/AttributedString.mm: (WebCore::extractValue): * Source/WebCore/editing/cocoa/NodeHTMLConverter.mm: (HTMLConverter::_addAttachmentForElement): * Tools/TestWebKitAPI/Tests/WebKit/WKWebView/CopyRTF.mm: (TEST(CopyRTF, DoesNotCrashWithDirectoryFileWrapperFromImageSrcset)): Canonical link: https://commits.webkit.org/311610@main

webkit-commit-queue · 2026-04-20T19:39:15Z

Committed 311610@main (dad1793): https://commits.webkit.org/311610@main

Reviewed commits have been landed. Closing PR #63020 and removing active labels.

kmonsen requested a review from rniwa as a code owner April 18, 2026 02:06

kmonsen self-assigned this Apr 18, 2026

kmonsen added the HTML Editing For bugs in HTML editing support (including designMode and contentEditable). label Apr 18, 2026

rniwa approved these changes Apr 18, 2026

View reviewed changes

rniwa requested a review from whsieh April 18, 2026 16:37

kmonsen added the merge-queue Applied to send a pull request to merge-queue label Apr 20, 2026

webkit-commit-queue force-pushed the eng/WebKit-Main-SU-0de8fcf584c54561-ASAN_ABRT-NSFileWrapper-regularFileContents-HTMLConverter-_addAttachmentForElement-HTMLConverter-_processElement branch from 704d7a1 to dad1793 Compare April 20, 2026 19:39

webkit-commit-queue merged commit dad1793 into WebKit:main Apr 20, 2026

webkit-commit-queue removed the merge-queue Applied to send a pull request to merge-queue label Apr 20, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Cocoa] Calling -regularFileContents on a directory NSFileWrapper crashes the web content process#63020

kmonsen commented Apr 18, 2026 •

edited by webkit-early-warning-system

Loading

Uh oh!

webkit-early-warning-system commented Apr 18, 2026 •

edited

Loading

Uh oh!

webkit-commit-queue commented Apr 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

kmonsen commented Apr 18, 2026 • edited by webkit-early-warning-system Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

dad1793

Uh oh!

webkit-early-warning-system commented Apr 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

webkit-commit-queue commented Apr 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

kmonsen commented Apr 18, 2026 •

edited by webkit-early-warning-system

Loading

`dad1793`

webkit-early-warning-system commented Apr 18, 2026 •

edited

Loading