Bug 45621

Summary:

isParsingFragment assert hit in new treebuilder

Product:

WebKit

Reporter:

Abhishek Arya <inferno>

Component:

DOM

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

abarth, commit-queue, eric

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Testcase	none
test cases	none
Patch	none
Patch	none

Abhishek Arya

Reported 2010-09-12 14:30:02 PDT

Created attachment 67345 [details] Testcase found in my layouttest fuzzing. Also credit to Cris Neckar, from whose html fuzzer i took some ideas from. This is the second most hit assert,crash in my fuzzing after bug 45570. Reduced Testcase: <kbd><table></kbd><col><select><tr> In HTMLTreeBuilder::resetInsertionModeAppropriately(), this assert is hit first. Then we pick up m_fragmentContext.contextElement() which comes out as null, which causes node to be null and crashes in the if statement. I am not sure if this can trigger memory corruption. So filed with security tags. ASSERT(isParsingFragment()); last = true; node = m_fragmentContext.contextElement(); } if (node->hasTagName(selectTag)) { Eric, Adam, if you think it cannot have security consequences, please feel free to remove the tags.

Attachments
Testcase (35 bytes, text/html) 2010-09-12 14:30 PDT, Abhishek Arya	no flags	Details
test cases (873 bytes, patch) 2010-09-12 16:27 PDT, Adam Barth	no flags	Details Formatted Diff Diff
Patch (5.11 KB, patch) 2010-09-12 16:47 PDT, Adam Barth	no flags	Details Formatted Diff Diff
Patch (5.06 KB, patch) 2010-09-12 16:50 PDT, Adam Barth	no flags	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.