Bug 19536
| Summary: | DOM modification causes Access Violation (NULL pointer?) | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Berend-Jan Wever <skylined> |
| Component: | New Bugs | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED WORKSFORME | ||
| Severity: | Normal | Keywords: | InRadar |
| Priority: | P1 | ||
| Version: | 525.x (Safari 3.1) | ||
| Hardware: | PC | ||
| OS: | Windows Vista | ||
| URL: | http://skypher.com/SkyLined/Repro/Safari/00fc476f%20NULL/repro.html | ||
Berend-Jan Wever
I found that the following javascript causes an Access Violation. This appears
to be a NULL pointer:
<BODY onload="go()"><SCRIPT>
function go() {
document.body.parentElement.innerHTML='';
oMarquee=document.createElement('marquee');
oMarquee.innerHTML='<frameSet></frameSet><colGroup></colGroup><em><label><meta></label></em><frameSet></frameSet>';
}
</SCRIPT></BODY>
Tested with Safari 3.1.1.
Please note the NULL pointer happens in code that appears to want to call a method in a vtable. Should the NULL value be attacker controlable, this is extremely exploitable. I am assuming it is always NULL and not exploitable.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Mark Rowe (bdash)
<rdar://problem/6007120>
Berend-Jan Wever
This no longer reproduces - it must have been fixed at some point :)
Alexey Proskuryakov
Should we land this as a regression test?