Bug 43139

Summary: cross_fuzz window.styleMedia.matchMedium() NULL pointer with open document
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: abarth, ap, eric, lcamtuf
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows Vista   
Bug Depends on:    
Bug Blocks: 42959    
Attachments:
Description Flags
Repro case none

Berend-Jan Wever
Reported 2010-07-28 12:49:37 PDT
Created attachment 62863 [details] Repro case Found as part of cross_fuzz investigation Repro: <body onload="document.open();window.styleMedia.matchMedium();"> id: WebCore::CSSStyleSelector::styleForElement ReadAV@NULL (dc7b32067c1b2c657a6337dd1beb1998) description: Attempt to read from NULL pointer (+0x24) in WebCore::CSSStyleSelector::styleForElement stack: WebCore::CSSStyleSelector::styleForElement WebCore::StyleMedia::matchMedium WebCore::StyleMediaInternal::matchMediumCallback v8::internal::HandleApiCallHelper<...> v8::internal::Builtin_HandleApiCall v8::internal::Invoke v8::internal::Execution::Call ...
Attachments
Repro case (65 bytes, text/html)
2010-07-28 12:49 PDT, Berend-Jan Wever 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Berend-Jan Wever
Comment 1 2010-08-05 02:02:40 PDT
Another similar crash, which does not appear to affect latest Chromium: <body onload="document.write();window.media.matchMedium();">
Adam Barth
Comment 2 2010-08-07 14:50:46 PDT
*** This bug has been marked as a duplicate of bug 43677 ***
Note You need to log in before you can comment on or make changes to this bug.