From 416c4788763baa778465d1d004080d322462c0bf Mon Sep 17 00:00:00 2001
From: Andreas Kling <andreas@ladybird.org>
Date: Fri, 19 Jul 2024 16:39:34 +0200
Subject: [PATCH] LibWeb: Don't try to set selection with anchor/focus in
 different roots

If the anchor and focus nodes are not within the same document, we can't
use them for a selection range.

Found by Domato.
---
 ...Selection-setBaseAndExtent-without-common-root.txt |  1 +
 ...election-setBaseAndExtent-without-common-root.html | 11 +++++++++++
 Userland/Libraries/LibWeb/Selection/Selection.cpp     |  2 +-
 3 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 Tests/LibWeb/Text/expected/Selection-setBaseAndExtent-without-common-root.txt
 create mode 100644 Tests/LibWeb/Text/input/Selection-setBaseAndExtent-without-common-root.html

diff --git a/Tests/LibWeb/Text/expected/Selection-setBaseAndExtent-without-common-root.txt b/Tests/LibWeb/Text/expected/Selection-setBaseAndExtent-without-common-root.txt
new file mode 100644
index 00000000000..5db64a560d5
--- /dev/null
+++ b/Tests/LibWeb/Text/expected/Selection-setBaseAndExtent-without-common-root.txt
@@ -0,0 +1 @@
+   PASS (Didn't crash)
diff --git a/Tests/LibWeb/Text/input/Selection-setBaseAndExtent-without-common-root.html b/Tests/LibWeb/Text/input/Selection-setBaseAndExtent-without-common-root.html
new file mode 100644
index 00000000000..2c47b0f7c99
--- /dev/null
+++ b/Tests/LibWeb/Text/input/Selection-setBaseAndExtent-without-common-root.html
@@ -0,0 +1,11 @@
+<body>
+<script src="include.js"></script>
+<script>
+    test(() => {
+        let newDoc = document.implementation.createHTMLDocument("foo");
+        let newDocP = newDoc.createElement("p");
+        let selection = window.getSelection();
+        selection.setBaseAndExtent(document.body, 0, newDocP, 0);
+        println("PASS (Didn't crash)");
+    });
+</script>
diff --git a/Userland/Libraries/LibWeb/Selection/Selection.cpp b/Userland/Libraries/LibWeb/Selection/Selection.cpp
index 6ec1284454f..0fed976d158 100644
--- a/Userland/Libraries/LibWeb/Selection/Selection.cpp
+++ b/Userland/Libraries/LibWeb/Selection/Selection.cpp
@@ -307,7 +307,7 @@ WebIDL::ExceptionOr<void> Selection::set_base_and_extent(JS::NonnullGCPtr<DOM::N
         return WebIDL::IndexSizeError::create(realm(), "Focus offset points outside of the focus node"_fly_string);
 
     // 2. If document associated with this is not a shadow-including inclusive ancestor of anchorNode or focusNode, abort these steps.
-    if (!(m_document->is_shadow_including_inclusive_ancestor_of(anchor_node) || m_document->is_shadow_including_inclusive_ancestor_of(focus_node)))
+    if (!m_document->is_shadow_including_inclusive_ancestor_of(anchor_node) || !m_document->is_shadow_including_inclusive_ancestor_of(focus_node))
         return {};
 
     // 3. Let anchor be the boundary point (anchorNode, anchorOffset) and let focus be the boundary point (focusNode, focusOffset).