Bug 49541

Summary: visibility:collapse WebCore::ReplaceSelectionCommand::doApply NULL ptr
Product: WebKit Reporter: Berend-Jan Wever <skylined@chromium.org>
Component: HTML DOMAssignee: Nobody <webkit-unassigned@lists.webkit.org>
Status: NEW    
Severity: Normal CC: eric@webkit.org, rniwa@webkit.org
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows Vista   
URL: http://code.google.com/p/chromium/issues/detail?id=63205
Attachments:
Description Flags
Repro none

Description From 2010-11-15 07:11:51 PST
Created an attachment (id=73893) [details]
Repro

Repro:
<body><x>
<script type="text/javascript">
  document.designMode="on";
  document.execCommand("selectAll");
  document.writeln('<style>* {visibility:collapse}</style>');
  document.execCommand("InsertHTML", false, 'x');
</script>


id:             chrome.dll!WebCore::ReplaceSelectionCommand::doApply ReadAV@NULL (80567d0c1853fec9161cc17f3eeaa01d)
description:    Attempt to read from unallocated NULL pointer+0x24 in chrome.dll!WebCore::ReplaceSelectionCommand::doApply
application:    Chromium 9.0.580.0
stack:          chrome.dll!WebCore::ReplaceSelectionCommand::doApply
                chrome.dll!WebCore::EditCommand::apply
                chrome.dll!WebCore::applyCommand
                chrome.dll!WebCore::executeInsertFragment
                chrome.dll!WebCore::executeInsertHTML
                chrome.dll!WebCore::Editor::Command::execute
                chrome.dll!WebCore::Document::execCommand
                chrome.dll!WebCore::DocumentInternal::execCommandCallback
                chrome.dll!v8::internal::HandleApiCallHelper<...>
                chrome.dll!v8::internal::Builtin_HandleApiCall
                chrome.dll!v8::internal::Invoke
                chrome.dll!v8::internal::Execution::Call
                chrome.dll!v8::Script::Run