Bug 31684

Summary: WebCore::Range::surroundContents NULL pointer crash
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, cdumez, commit-queue, eric, morrita, webkit.review.bot
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
URL: http://skypher.com/SkyLined/Repro/WebKit/Bug%2031684%20-%20WebCore..Range..surroundContents%20NULL%20pointer/repro.html
Attachments:
Description Flags
Repro
none
patch v1 none

Berend-Jan Wever
Reported 2009-11-19 13:54:16 PST
Created attachment 43520 [details] Repro The following HTML triggers a NULL pointer in "WebCore::Range::surroundContents": <SCRIPT> range=document.createRange(); text=document.createTextNode(''); range.selectNodeContents(text); element=document.createElement("l"); range.surroundContents(element); </SCRIPT> Relevant call stack (in Chromium): WebCore::Range::surroundContents(class WTF::PassRefPtr<WebCore::Node> passNewParent = class WTF::PassRefPtr<WebCore::Node>, int * ec = 0x0012f220)+0x113 WebCore::RangeInternal::surroundContentsCallback(class v8::Arguments * args = 0x00000000)+0xac
Attachments
Repro (200 bytes, text/html)
2009-11-19 13:54 PST, Berend-Jan Wever 		no flags
Details
patch v1 (3.64 KB, patch)
2009-12-19 00:37 PST, MORITA Hajime 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Berend-Jan Wever
Comment 1 2009-11-19 13:57:11 PST
Added online repro URL
MORITA Hajime
Comment 2 2009-12-19 00:37:50 PST
Created attachment 45226 [details] patch v1
MORITA Hajime
Comment 3 2009-12-19 00:40:10 PST
Added NULL guard null throws exception. Note that Firefox also throws an exception (NS_ERROR_UNEXPECTED) in the case.
WebKit Review Bot
Comment 4 2009-12-19 00:42:22 PST
style-queue ran check-webkit-style on attachment 45226 [details] without any errors.
WebKit Commit Bot
Comment 5 2009-12-19 10:30:50 PST
Comment on attachment 45226 [details] patch v1 Clearing flags on attachment: 45226 Committed r52388: <http://trac.webkit.org/changeset/52388>
WebKit Commit Bot
Comment 6 2009-12-19 10:30:55 PST
All reviewed patches have been landed. Closing bug.
Lucas Forschler
Comment 7 2019-02-06 09:03:11 PST
Mass moving XML DOM bugs to the "DOM" Component.
Note You need to log in before you can comment on or make changes to this bug.