| Summary: | DOM modification causes Access Violations (NULL pointers?) | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Berend-Jan Wever <skylined> |
| Component: | New Bugs | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED WORKSFORME | ||
| Severity: | Normal | Keywords: | InRadar |
| Priority: | P1 | ||
| Version: | 525.x (Safari 3.1) | ||
| Hardware: | PC | ||
| OS: | Windows Vista | ||
| URL: | http://skypher.com/SkyLined/Repro/Safari/706b5eef%20or%206eb35eef%20NULL/repro.html | ||
In a debug build, this hits the exact same assertion as bug 19536. I suspect it may be the same underlying issue. This no longer reproduces, it must have been fixed at some point :) Should we land this as a regression test? |
I found that the following javascript causes two Access Violations. Both appear to be NULL pointers: <BODY onload="go()"><SCRIPT> function go() { document.body.parentElement.removeChild(document.body); oI=document.createElement('i'); oI.innerHTML='<frameSet></frameSet><u><code><dir><base></dir></code></u><frame></frame><code></code>'; } </SCRIPT></BODY> One of the two AVs happens most often, I think which one happens is based on timing. Please note that at least one of the NULL pointers happens in code that appears to want to call a method in a vtable. Should the NULL value be attacker controlable, this is extremely exploitable. I am assuming it is always NULL and not exploitable.