31353 2009-11-11 08:30:48 -0800 WebCore::Media::matchMedium NULL pointer crash 2010-09-29 08:26:50 -0700 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) PC Windows Vista RESOLVED DUPLICATE 33913 http://skypher.com/SkyLined/Repro/WebKit/Bug%2031353%20-%20WebCore..Media..matchMedium%20NULL%20pointer/repro.html P1 Normal --- 1 skylined webkit-unassigned abarth ap eric.carlson eric paulirish simon.fraser yael oldest_to_newest 162483 0 42963 skylined 2009-11-11 08:30:48 -0800 Created attachment 42963 Repro case The below HTML causes a NULL pointer in "WebCore::Media::matchMedium" (WebKit/WebCore/css/Media.cpp): <IFRAME id="w" src="http://www.google.com"></IFRAME> <SCRIPT> // Get a reference to a window (window.open can also be used instead of an IFRAME) w=document.getElementById("w").contentWindow; // Get a reference to the media object m=w.media; // Navigate the window w.location.reload(); // Wait for the window to navigate and crash setTimeout(function () { m.matchMedium(); }, 1000); </SCRIPT> Looking at the code, I think that the root cause is that the function relies on m_window to have a document, which it may not have: bool Media::matchMedium(const String& query) const { Document* document = m_window->document(); // *** what if this is NULL? Frame* frame = m_window->frame(); CSSStyleSelector* styleSelector = document->styleSelector(); Element* docElement = document->documentElement(); if (!styleSelector || !docElement || !frame) return false; RefPtr<RenderStyle> rootStyle = styleSelector->styleForElement(docElement, 0 /*defaultParent*/, false /*allowSharing*/, true /*resolveForRootDefault*/); RefPtr<MediaList> media = MediaList::create(); ExceptionCode ec = 0; media->setMediaText(query, ec); if (ec) return false; MediaQueryEvaluator screenEval(type(), frame, rootStyle.get()); return screenEval.eval(media.get()); } 162484 1 skylined 2009-11-11 08:32:41 -0800 Added online repro link 162485 2 eric 2009-11-11 08:33:40 -0800 Thank you for the bug. CCing one of our media folks. 162488 3 skylined 2009-11-11 08:35:08 -0800 Chrome tracking bug: http://code.google.com/p/chromium/issues/detail?id=27386 162490 4 eric 2009-11-11 08:35:54 -0800 Actually, different kind of "media" than I initially thought. 286828 5 skylined 2010-09-29 06:42:59 -0700 This no longer reproduces in latest Chromium - I assume it has been fixed at some point. My fuzzers should find it again if it is not fixed. 286893 6 ap 2010-09-29 08:26:50 -0700 *** This bug has been marked as a duplicate of bug 33913 *** 42963 2009-11-11 08:30:48 -0800 2009-11-11 08:30:48 -0800 Repro case repro.html text/html 417 skylined PElGUkFNRSBpZD0idyIgc3JjPSJodHRwOi8vd3d3Lmdvb2dsZS5jb20iPjwvSUZSQU1FPg0KPFND UklQVD4NCiAgLy8gR2V0IGEgcmVmZXJlbmNlIHRvIGEgd2luZG93ICh3aW5kb3cub3BlbiBjYW4g YWxzbyBiZSB1c2VkIGluc3RlYWQgb2YgYW4gSUZSQU1FKQ0KICB3PWRvY3VtZW50LmdldEVsZW1l bnRCeUlkKCJ3IikuY29udGVudFdpbmRvdzsNCiAgLy8gR2V0IGEgcmVmZXJlbmNlIHRvIHRoZSBt ZWRpYSBvYmplY3QNCiAgbT13Lm1lZGlhOw0KICAvLyBOYXZpZ2F0ZSB0aGUgd2luZG93DQogIHcu bG9jYXRpb24ucmVsb2FkKCk7DQogIC8vIFdhaXQgZm9yIHRoZSB3aW5kb3cgdG8gbmF2aWdhdGUg YW5kIGNyYXNoDQogIHNldFRpbWVvdXQoZnVuY3Rpb24gKCkgeyBtLm1hdGNoTWVkaXVtKCk7IH0s IDEwMDApOw0KPC9TQ1JJUFQ+