62526 2011-06-12 21:03:41 -0700 Null deref in WebCore::HTMLTextAreaElement::removeSpellcheckRange 2011-06-12 21:55:58 -0700 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 1 hbono webkit-unassigned webkit.review.bot oldest_to_newest 419411 0 hbono 2011-06-12 21:03:41 -0700 (Copied from <http://crbug.com/85744>.) Chromium: r88647 WebKit: r88523 Run cross_fuzz and you will see the following null deref with a very high probability: #0 0x539988 in WTF::VectorBufferBase<WebCore::LevelDBTransaction::AVLTreeNode*>::capacity() const third_party/WebKit/Source/JavaScriptCore/wtf/Vector.h:313 #1 0x2e8df98 in WebCore::HTMLTextAreaElement::removeSpellcheckRange(WTF::RefPtr<WebCore::SpellcheckRange>) third_party/WebKit/Source/WebCore/html/HTMLTextAreaElement.cpp:465 #2 0x3053680 in WebCore::HTMLTextAreaElementInternal::removeSpellcheckRangeCallback(v8::Arguments const&) out/Release/obj/gen/webcore/bindings/V8HTMLDivElement.cpp:92 #3 0x223a5d8 in HandleApiCallHelper v8/src/builtins.cc:1105 cros_fuzz instructions: http://www.chromium.org/developers/testing/fuzzers From inferno: Please file a new bug and assign it to hbono for high priority null ptr fix (was probably introduced in http://trac.webkit.org/changeset/88332). 419417 1 96917 hbono 2011-06-12 21:14:01 -0700 Created attachment 96917 A quick fix with a regression test Greetings, I have quickly added null checks to three functions that implements removeSpellcheckRanges() and also a regression test. Is it possible to review this change? Regards, Hironori Bono 419418 2 96917 morrita 2011-06-12 21:17:03 -0700 Comment on attachment 96917 A quick fix with a regression test r=me 419423 3 96917 webkit.review.bot 2011-06-12 21:55:54 -0700 Comment on attachment 96917 A quick fix with a regression test Clearing flags on attachment: 96917 Committed r88627: <http://trac.webkit.org/changeset/88627> 419424 4 webkit.review.bot 2011-06-12 21:55:58 -0700 All reviewed patches have been landed. Closing bug. 96917 2011-06-12 21:14:01 -0700 2011-06-12 21:55:54 -0700 A quick fix with a regression test issue62526-patch0.txt text/plain 5544 hbono SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDg4NjI1KQorKysgU291cmNlL1dlYkNvcmUvQ2hhbmdl TG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMjUgQEAKKzIwMTEtMDYtMTIgIEhpcm9ub3Jp IEJvbm8gIDxoYm9ub0BjaHJvbWl1bS5vcmc+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZ IChPT1BTISkuCisKKyAgICAgICAgQWRkIG51bGwgY2hlY2tzIHRvIEhUTUxUZXh0QXJlYUVsZW1l bnQ6OnJlbW92ZVNwZWxsY2hlY2tSYW5nZSgpLgorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0 Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9NjI1MjYKKworICAgICAgICBUaGlzIGNoYW5nZSBhZGRzIG51 bGwgY2hlY2tzIHRvIHRoZSBmb2xsb3dpbmcgZnVuY3Rpb24gdG8gcHJldmVudCBjcmFzaGVzCisg ICAgICAgIHdoZW4gY2FsbGluZyByZW1vdmVTcGVsbGNoZWNrUmFuZ2UoKSB3aXRoIG51bGw6Cisg ICAgICAgIEhUTUxUZXh0QXJlYUVsZW1lbnQ6OnJlbW92ZVNwZWxsY2hlY2tSYW5nZSgpLAorICAg ICAgICBIVE1MSW5wdXRFbGVtZW50OjpyZW1vdmVTcGVsbGNoZWNrUmFuZ2UoKSwgYW5kCisgICAg ICAgIEhUTUxEaXZFbGVtZW50OjpyZW1vdmVTcGVsbGNoZWNrUmFuZ2UoKS4KKworICAgICAgICBU ZXN0OiBlZGl0aW5nL3NwZWxsaW5nL3NwZWxsY2hlY2stYXBpLWNyYXNoLmh0bWwKKworICAgICAg ICAqIGh0bWwvSFRNTERpdkVsZW1lbnQuY3BwOgorICAgICAgICAoV2ViQ29yZTo6SFRNTERpdkVs ZW1lbnQ6OnJlbW92ZVNwZWxsY2hlY2tSYW5nZSk6CisgICAgICAgICogaHRtbC9IVE1MSW5wdXRF bGVtZW50LmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OkhUTUxJbnB1dEVsZW1lbnQ6OnJlbW92ZVNw ZWxsY2hlY2tSYW5nZSk6CisgICAgICAgICogaHRtbC9IVE1MVGV4dEFyZWFFbGVtZW50LmNwcDoK KyAgICAgICAgKFdlYkNvcmU6OkhUTUxUZXh0QXJlYUVsZW1lbnQ6OnJlbW92ZVNwZWxsY2hlY2tS YW5nZSk6CisKIDIwMTEtMDYtMTIgIEFkYW0gQmFydGggIDxhYmFydGhAd2Via2l0Lm9yZz4KIAog ICAgICAgICBSZXZpZXdlZCBieSBEYXJpbiBBZGxlci4KSW5kZXg6IFNvdXJjZS9XZWJDb3JlL2h0 bWwvSFRNTERpdkVsZW1lbnQuY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9XZWJDb3JlL2h0bWwv SFRNTERpdkVsZW1lbnQuY3BwCShyZXZpc2lvbiA4ODYyMSkKKysrIFNvdXJjZS9XZWJDb3JlL2h0 bWwvSFRNTERpdkVsZW1lbnQuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC05NSw2ICs5NSw4IEBAIHZv aWQgSFRNTERpdkVsZW1lbnQ6OmFkZFNwZWxsY2hlY2tSYW5nZSgKIAogdm9pZCBIVE1MRGl2RWxl bWVudDo6cmVtb3ZlU3BlbGxjaGVja1JhbmdlKFJlZlB0cjxTcGVsbGNoZWNrUmFuZ2U+IHJhbmdl KQogeworICAgIGlmICghcmFuZ2UpCisgICAgICAgIHJldHVybjsKICAgICBkb2N1bWVudCgpLT5t YXJrZXJzKCktPnJlbW92ZVVzZXJTcGVsbGluZ01hcmtlcih0aGlzLCByYW5nZS0+c3RhcnQoKSwg cmFuZ2UtPmxlbmd0aCgpKTsKIH0KICNlbmRpZgpJbmRleDogU291cmNlL1dlYkNvcmUvaHRtbC9I VE1MSW5wdXRFbGVtZW50LmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2ViQ29yZS9odG1sL0hU TUxJbnB1dEVsZW1lbnQuY3BwCShyZXZpc2lvbiA4ODYyMSkKKysrIFNvdXJjZS9XZWJDb3JlL2h0 bWwvSFRNTElucHV0RWxlbWVudC5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTE4NjEsNiArMTg2MSw4 IEBAIHZvaWQgSFRNTElucHV0RWxlbWVudDo6YWRkU3BlbGxjaGVja1JhbmcKIAogdm9pZCBIVE1M SW5wdXRFbGVtZW50OjpyZW1vdmVTcGVsbGNoZWNrUmFuZ2UoUmVmUHRyPFNwZWxsY2hlY2tSYW5n ZT4gcmFuZ2UpCiB7CisgICAgaWYgKCFyYW5nZSkKKyAgICAgICAgcmV0dXJuOwogICAgIGRvY3Vt ZW50KCktPm1hcmtlcnMoKS0+cmVtb3ZlVXNlclNwZWxsaW5nTWFya2VyKHRoaXMsIHJhbmdlLT5z dGFydCgpLCByYW5nZS0+bGVuZ3RoKCkpOwogfQogI2VuZGlmCkluZGV4OiBTb3VyY2UvV2ViQ29y ZS9odG1sL0hUTUxUZXh0QXJlYUVsZW1lbnQuY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9XZWJD b3JlL2h0bWwvSFRNTFRleHRBcmVhRWxlbWVudC5jcHAJKHJldmlzaW9uIDg4NjIxKQorKysgU291 cmNlL1dlYkNvcmUvaHRtbC9IVE1MVGV4dEFyZWFFbGVtZW50LmNwcAkod29ya2luZyBjb3B5KQpA QCAtNDYyLDYgKzQ2Miw4IEBAIHZvaWQgSFRNTFRleHRBcmVhRWxlbWVudDo6YWRkU3BlbGxjaGVj a1IKIAogdm9pZCBIVE1MVGV4dEFyZWFFbGVtZW50OjpyZW1vdmVTcGVsbGNoZWNrUmFuZ2UoUmVm UHRyPFNwZWxsY2hlY2tSYW5nZT4gcmFuZ2UpCiB7CisgICAgaWYgKCFyYW5nZSkKKyAgICAgICAg cmV0dXJuOwogICAgIGRvY3VtZW50KCktPm1hcmtlcnMoKS0+cmVtb3ZlVXNlclNwZWxsaW5nTWFy a2VyKHRoaXMsIHJhbmdlLT5zdGFydCgpLCByYW5nZS0+bGVuZ3RoKCkpOwogfQogI2VuZGlmCklu ZGV4OiBMYXlvdXRUZXN0cy9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gTGF5b3V0VGVzdHMvQ2hh bmdlTG9nCShyZXZpc2lvbiA4ODYyNSkKKysrIExheW91dFRlc3RzL0NoYW5nZUxvZwkod29ya2lu ZyBjb3B5KQpAQCAtMSwzICsxLDE5IEBACisyMDExLTA2LTEyICBIaXJvbm9yaSBCb25vICA8aGJv bm9AY2hyb21pdW0ub3JnPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgor CisgICAgICAgIEFkZCBudWxsIGNoZWNrcyB0byBIVE1MVGV4dEFyZWFFbGVtZW50OjpyZW1vdmVT cGVsbGNoZWNrUmFuZ2UoKS4KKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19i dWcuY2dpP2lkPTYyNTI2CisKKyAgICAgICAgVGhpcyBjaGFuZ2UgYWRkcyBudWxsIGNoZWNrcyB0 byB0aGUgZm9sbG93aW5nIGZ1bmN0aW9uIHRvIHByZXZlbnQgY3Jhc2hlcworICAgICAgICB3aGVu IGNhbGxpbmcgcmVtb3ZlU3BlbGxjaGVja1JhbmdlKCkgd2l0aCBudWxsOgorICAgICAgICBIVE1M VGV4dEFyZWFFbGVtZW50OjpyZW1vdmVTcGVsbGNoZWNrUmFuZ2UoKSwKKyAgICAgICAgSFRNTElu cHV0RWxlbWVudDo6cmVtb3ZlU3BlbGxjaGVja1JhbmdlKCksIGFuZAorICAgICAgICBIVE1MRGl2 RWxlbWVudDo6cmVtb3ZlU3BlbGxjaGVja1JhbmdlKCkuCisKKyAgICAgICAgKiBlZGl0aW5nL3Nw ZWxsaW5nL3NwZWxsY2hlY2stYXBpLWNyYXNoLWV4cGVjdGVkLnR4dDogQWRkZWQuCisgICAgICAg ICogZWRpdGluZy9zcGVsbGluZy9zcGVsbGNoZWNrLWFwaS1jcmFzaC5odG1sOiBBZGRlZC4KKwog MjAxMS0wNi0xMiAgRG9taW5pYyBDb29uZXkgIDxkb21pbmljY0BjaHJvbWl1bS5vcmc+CiAKICAg ICAgICAgUmV2aWV3ZWQgYnkgSGFqaW1lIE1vcml0YS4KSW5kZXg6IExheW91dFRlc3RzL2VkaXRp bmcvc3BlbGxpbmcvc3BlbGxjaGVjay1hcGktY3Jhc2gtZXhwZWN0ZWQudHh0Cj09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0K LS0tIExheW91dFRlc3RzL2VkaXRpbmcvc3BlbGxpbmcvc3BlbGxjaGVjay1hcGktY3Jhc2gtZXhw ZWN0ZWQudHh0CShyZXZpc2lvbiAwKQorKysgTGF5b3V0VGVzdHMvZWRpdGluZy9zcGVsbGluZy9z cGVsbGNoZWNrLWFwaS1jcmFzaC1leHBlY3RlZC50eHQJKHJldmlzaW9uIDApCkBAIC0wLDAgKzEs NyBAQAorVGhpcyB0ZXN0cyB0aGF0cyBXZWJLaXQgZG9lcyBub3QgY3Jhc2ggd2hlbiB3ZSBjYWxs IHJlbW92ZVNwZWxsY2hlY2tSYW5nZSgpIHdpdGggYSBudWxsIHBhcmFtZXRlci4gVG8gdGVzdCBt YW51YWxseSwgb3BlbiB0aGlzIEhUTUwgZmlsZSBhbmQgY2hlY2sgaWYgdGhlIGJyb3dzZXIgY2Fu IG9wZW4gdGhpcyBmaWxlIHdpdGhvdXQgYSBjcmFzaC4KKworCisKK3dlbGxjb21lCisKKwpJbmRl eDogTGF5b3V0VGVzdHMvZWRpdGluZy9zcGVsbGluZy9zcGVsbGNoZWNrLWFwaS1jcmFzaC5odG1s Cj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT0KLS0tIExheW91dFRlc3RzL2VkaXRpbmcvc3BlbGxpbmcvc3BlbGxjaGVjay1h cGktY3Jhc2guaHRtbAkocmV2aXNpb24gMCkKKysrIExheW91dFRlc3RzL2VkaXRpbmcvc3BlbGxp bmcvc3BlbGxjaGVjay1hcGktY3Jhc2guaHRtbAkocmV2aXNpb24gMCkKQEAgLTAsMCArMSwyNyBA QAorPGh0bWw+Cis8aGVhZD4KKzx0aXRsZT48L3RpdGxlPgorPHNjcmlwdCBsYW5ndWFnZT0iamF2 YXNjcmlwdCIgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij4KK2lmICh3aW5kb3cubGF5b3V0VGVzdENv bnRyb2xsZXIpCisgICAgbGF5b3V0VGVzdENvbnRyb2xsZXIuZHVtcEFzVGV4dCgpOworCitmdW5j dGlvbiBUZXN0KCkgeworICAgIHZhciBub2RlMCA9IGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCd0 ZXN0MCcpOworICAgIGlmIChub2RlMC5yZW1vdmVTcGVsbGNoZWNrUmFuZ2UpCisgICAgICAgIG5v ZGUwLnJlbW92ZVNwZWxsY2hlY2tSYW5nZShudWxsKTsKKyAgICB2YXIgbm9kZTEgPSBkb2N1bWVu dC5nZXRFbGVtZW50QnlJZCgndGVzdDEnKTsKKyAgICBpZiAobm9kZTEucmVtb3ZlU3BlbGxjaGVj a1JhbmdlKQorICAgICAgICBub2RlMS5yZW1vdmVTcGVsbGNoZWNrUmFuZ2UobnVsbCk7CisgICAg dmFyIG5vZGUyID0gZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ3Rlc3QyJyk7CisgICAgaWYgKG5v ZGUyLnJlbW92ZVNwZWxsY2hlY2tSYW5nZSkKKyAgICAgICAgbm9kZTIucmVtb3ZlU3BlbGxjaGVj a1JhbmdlKG51bGwpOworfQorPC9zY3JpcHQ+Cis8L2hlYWQ+Cis8Ym9keSBvbmxvYWQ9IlRlc3Qo KSI+Cis8cD5UaGlzIHRlc3RzIHRoYXRzIFdlYktpdCBkb2VzIG5vdCBjcmFzaCB3aGVuIHdlIGNh bGwgcmVtb3ZlU3BlbGxjaGVja1JhbmdlKCkgd2l0aCBhIG51bGwgcGFyYW1ldGVyLiBUbyB0ZXN0 IG1hbnVhbGx5LCBvcGVuIHRoaXMgSFRNTCBmaWxlIGFuZCBjaGVjayBpZiB0aGUgYnJvd3NlciBj YW4gb3BlbiB0aGlzIGZpbGUgd2l0aG91dCBhIGNyYXNoLjwvcD4KKzx0ZXh0YXJlYSBpZD0idGVz dDAiIHJvd3M9IjEwIiBjb2xzPSI4MCI+d2VsbGNvbWU8L3RleHRhcmVhPjxiciAvPgorPGlucHV0 IGlkPSJ0ZXN0MSIgdHlwZT0idGV4dCIgdmFsdWU9IndlbGxjb21lIiAvPjxiciAvPgorPGRpdiBp ZD0idGVzdDIiIGNvbnRlbnRlZGl0YWJsZT0idHJ1ZSI+d2VsbGNvbWU8L2Rpdj48YnIgLz4KKzwv Ym9keT4KKzwvaHRtbD4K