Bug 52147

Created attachment 78398 [details] Repro Repro: <script> oWin = window.open('repro.gif'); setTimeout(function() { var oBody = oWin.document.body; oWin.document.open(); oWin.document.createRange().surroundContents(oBody); oWin.document.close(); }, 1000); </script> Repro.gif must be a file served with an image mime type, eg. "image/gif", but which is not a valid image. That way Chromium creates an ImageDocument in the same domain as the main document, but the image element can become NULL. id: chrome.dll!WebCore::ImageDocumentParser::appendBytes ReadAV@NULL (d3eaf04ec8c67346dfeface66b7dc103) description: Attempt to read from unallocated NULL pointer+0x44 in chrome.dll!WebCore::ImageDocumentParser::appendBytes stack: chrome.dll!WebCore::ImageDocumentParser::appendBytes chrome.dll!WebCore::DocumentWriter::endIfNotLoadingMainResource chrome.dll!WebCore::Document::close chrome.dll!WebCore::HTMLDocumentInternal::closeCallback chrome.dll!v8::internal::HandleApiCallHelper<...> chrome.dll!v8::internal::Builtin_HandleApiCall chrome.dll!v8::internal::Invoke chrome.dll!v8::internal::Execution::Call ... Here's the problem: CachedImage* ImageDocument::cachedImage() { if (!m_imageElement) createDocumentStructure(); return m_imageElement->cachedImage(); } This code assumes that if m_imageElement is NULL, createDocumentStructure() will set m_imageElement to something non-NULL. However, it appears this is not the case if the image is invalid, which can lead to NULL ptrs.