Bug 19517

Summary:

DOM modification of textArea causes Access Violation (NULL pointer?)

Product:

WebKit

Reporter:

Berend-Jan Wever <skylined>

Component:

DOM

Assignee:

Alexey Proskuryakov <ap>

Status:

RESOLVED FIXED

Severity:

Normal

Keywords:

InRadar

Priority:

Version:

525.x (Safari 3.1)

Hardware:

All

OS:

All

URL:

http://skypher.com/SkyLined/Repro/Safari/019a3239%20NULL/repro.html

Attachments:

Description	Flags
proposed patch	darin: review+

Berend-Jan Wever

Reported 2008-06-12 04:24:58 PDT

I found that the following javascript causes an Access Violation. This appears to be a NULL pointer: <BODY onload="go()"><SCRIPT> function go() { document.body.parentElement.removeChild(document.body); o = document.createElement("textArea"); o.innerHTML='<b><menu><link></b><head></head>x'; } </SCRIPT></BODY> Tested with Safari 3.1.1. Marked as security, I'm not sure if you treat DoS as a security issue, so erring on the safe side.

Attachments
proposed patch (2.26 KB, patch) 2009-05-20 03:32 PDT, Alexey Proskuryakov	darin: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Berend-Jan Wever

Comment 1 2008-06-13 06:29:21 PDT

Changing priority and security flag

Mark Rowe (bdash)

Comment 2 2008-06-13 14:52:41 PDT

<rdar://problem/6007112>

Arvind

Comment 3 2009-05-19 23:13:13 PDT

Hi, I am trying to analyse this bug.But when I open the safari window in debug mode I am not able to reproduce this scenario.Is there a solution to reproduce this scenario in debug mode as well ?

Alexey Proskuryakov

Comment 4 2009-05-20 03:25:37 PDT

I cannot reproduce this with nightlies either (but I can reproduce with Safari 3.2.3).

Alexey Proskuryakov

Comment 5 2009-05-20 03:32:14 PDT

Created attachment 30503 [details] proposed patch So, let's just add a test.

Alexey Proskuryakov

Comment 6 2009-05-21 05:35:18 PDT

Test committed r43966.

Note You need to log in before you can comment on or make changes to this bug.