Bug 43722

Summary: cross_fuzz WebCore::RenderBlock::addChild* NULL ptrs
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bdakin, commit-queue, eric, hyatt, levin, rolandsteiner
Priority: P1 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows Vista   
Bug Depends on:    
Bug Blocks: 42959    
Attachments:
Description Flags
Repro
none
Patch (review carefully) none

Berend-Jan Wever
Reported 2010-08-09 08:26:03 PDT
Created attachment 63895 [details] Repro The following code triggers a NULL ptr in Chromium latest: <html> <head> <style> :before{ content:"" }; </style> </head> <body onload="document.linkColor=0;"> <ruby> <rt></rt> </ruby> </body> </html> id: WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks ReadAV@NULL (8861963c2158cde00d41e1ee9baea2f1) description: Attempt to read from NULL pointer (+0xC) in WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks signatures: Function: WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks Basic signature: WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks(...)-2D824F8 stack: WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks WebCore::RenderBlock::addChildIgnoringContinuation WebCore::RenderBlock::addChild WebCore::RenderRubyRun::addChild WebCore::RenderRubyAsInline::addChild WebCore::RenderObjectChildList::updateBeforeAfterContent WebCore::RenderInline::styleDidChange WebCore::RenderObject::setStyle WebCore::RenderObject::setAnimatableStyle WebCore::Node::setRenderStyle WebCore::Element::recalcStyle WebCore::Element::recalcStyle WebCore::Element::recalcStyle WebCore::Document::recalcStyle WebCore::StyledElement::attributeChanged WebCore::NamedNodeMap::addAttribute WebCore::Element::setAttribute WebCore::Element::setAttribute WebCore::HTMLBodyElement::setLink WebCore::HTMLDocument::setLinkColor WebCore::HTMLDocumentInternal::linkColorAttrSetter v8::internal::JSObject::SetPropertyWithCallback v8::internal::JSObject::SetProperty v8::internal::JSObject::SetPropertyPostInterceptor v8::internal::JSObject::SetPropertyWithInterceptor v8::internal::JSObject::SetProperty v8::internal::JSObject::SetProperty v8::internal::StoreIC::Store v8::internal::StoreIC_Miss v8::internal::Invoke v8::internal::Execution::Call ... During fuzzzing, I have seen NULL ptr crashes two levels up the stack as well, in Renderblock::AddChild. I expect the cause is the same.
Attachments
Repro (190 bytes, text/html)
2010-08-09 08:26 PDT, Berend-Jan Wever 		no flags
Details
Patch (review carefully) (3.74 KB, patch)
2010-08-09 11:32 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2010-08-09 11:32:58 PDT
Created attachment 63911 [details] Patch (review carefully)
Eric Seidel (no email)
Comment 2 2010-08-09 12:14:17 PDT
I'm not sure who does ruby stuff.
David Levin
Comment 3 2010-08-17 17:58:10 PDT
Roland, any comments?
WebKit Commit Bot
Comment 4 2010-08-30 00:35:58 PDT
Comment on attachment 63911 [details] Patch (review carefully) Clearing flags on attachment: 63911 Committed r66371: <http://trac.webkit.org/changeset/66371>
WebKit Commit Bot
Comment 5 2010-08-30 00:36:03 PDT
All reviewed patches have been landed. Closing bug.
David Kilzer (:ddkilzer)
Comment 6 2010-08-30 21:45:47 PDT
<rdar://problem/8375382>
Roland Steiner
Comment 7 2010-09-01 18:58:07 PDT
Whoa, this bug thread completely sneaked by me, sorry about that! :( FWIW, I think the patch is fine. My recently r+'d patch for https://bugs.webkit.org/show_bug.cgi?id=41040 (not yet landed) also concerns :before/:after content. AFAICT it will subsume this patch once merged and landed.
Note You need to log in before you can comment on or make changes to this bug.