Bug 31353

Summary: WebCore::Media::matchMedium NULL pointer crash
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: abarth, ap, eric.carlson, eric, paulirish, simon.fraser, yael
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows Vista   
URL: http://skypher.com/SkyLined/Repro/WebKit/Bug%2031353%20-%20WebCore..Media..matchMedium%20NULL%20pointer/repro.html
Attachments:
Description Flags
Repro case none

Berend-Jan Wever
Reported 2009-11-11 08:30:48 PST
Created attachment 42963 [details] Repro case The below HTML causes a NULL pointer in "WebCore::Media::matchMedium" (WebKit/WebCore/css/Media.cpp): <IFRAME id="w" src="http://www.google.com"></IFRAME> <SCRIPT> // Get a reference to a window (window.open can also be used instead of an IFRAME) w=document.getElementById("w").contentWindow; // Get a reference to the media object m=w.media; // Navigate the window w.location.reload(); // Wait for the window to navigate and crash setTimeout(function () { m.matchMedium(); }, 1000); </SCRIPT> Looking at the code, I think that the root cause is that the function relies on m_window to have a document, which it may not have: bool Media::matchMedium(const String& query) const { Document* document = m_window->document(); // *** what if this is NULL? Frame* frame = m_window->frame(); CSSStyleSelector* styleSelector = document->styleSelector(); Element* docElement = document->documentElement(); if (!styleSelector || !docElement || !frame) return false; RefPtr<RenderStyle> rootStyle = styleSelector->styleForElement(docElement, 0 /*defaultParent*/, false /*allowSharing*/, true /*resolveForRootDefault*/); RefPtr<MediaList> media = MediaList::create(); ExceptionCode ec = 0; media->setMediaText(query, ec); if (ec) return false; MediaQueryEvaluator screenEval(type(), frame, rootStyle.get()); return screenEval.eval(media.get()); }
Attachments
Repro case (417 bytes, text/html)
2009-11-11 08:30 PST, Berend-Jan Wever 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Berend-Jan Wever
Comment 1 2009-11-11 08:32:41 PST
Added online repro link
Eric Seidel (no email)
Comment 2 2009-11-11 08:33:40 PST
Thank you for the bug. CCing one of our media folks.
Berend-Jan Wever
Comment 3 2009-11-11 08:35:08 PST
Chrome tracking bug: http://code.google.com/p/chromium/issues/detail?id=27386
Eric Seidel (no email)
Comment 4 2009-11-11 08:35:54 PST
Actually, different kind of "media" than I initially thought.
Berend-Jan Wever
Comment 5 2010-09-29 06:42:59 PDT
This no longer reproduces in latest Chromium - I assume it has been fixed at some point. My fuzzers should find it again if it is not fixed.
Alexey Proskuryakov
Comment 6 2010-09-29 08:26:50 PDT
*** This bug has been marked as a duplicate of bug 33913 ***
Note You need to log in before you can comment on or make changes to this bug.