Bug 19516
Summary: | DOM modification causes Access Violation (NULL pointer?) | ||
---|---|---|---|
Product: | WebKit | Reporter: | Berend-Jan Wever <skylined> |
Component: | New Bugs | Assignee: | Nobody <webkit-unassigned> |
Status: | RESOLVED FIXED | ||
Severity: | Normal | Keywords: | InRadar |
Priority: | P1 | ||
Version: | 525.x (Safari 3.1) | ||
Hardware: | PC | ||
OS: | Windows Vista | ||
URL: | http://skypher.com/SkyLined/Repro/Safari/6f164b90%20NULL%203C/repro.html |
Berend-Jan Wever
I found that the following javascript causes an Access Violation. This appears to be a NULL pointer:
<BODY onload="go()"><SCRIPT>
function go() {
var oEmbed=document.createElement('embed');
document.body.appendChild(oEmbed);
var oEmbed2 = oEmbed.cloneNode();
oEmbed2.appendChild(document.body.parentElement);
var oA = document.createElement('a');
document.title = '';
oA.innerHTML = '<x><html></html>';
}
</SCRIPT></BODY>
Tested with Safari 3.1.1.
Marked as security, I'm not sure if you treat DoS as a security issue, so
erring on the safe side.
Attachments | ||
---|---|---|
Add attachment proposed patch, testcase, etc. |
Berend-Jan Wever
Changing priority and security flag
Mark Rowe (bdash)
<rdar://problem/6007111>
Anders Carlsson
Thank you very much for the reduced test case!
Committed revision 34795.
Berend-Jan Wever
This appears fixed in nightly until you drag and drop the repro URL into Safari twice:
(4a8.13c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
WebKit!WebCore::DragController::concludeDrag+0x3a:
00000000`6ccf0cda 8b03 mov eax,dword ptr [ebx] ds:002b:00000000`00000000=????????
This exact same problem can be triggered with bug 20540
Berend-Jan Wever
I opened bug 20565 to track this new issue.