Bug 62526

Summary: Null deref in WebCore::HTMLTextAreaElement::removeSpellcheckRange
Product: WebKit Reporter: Hironori Bono <hbono>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
A quick fix with a regression test none

Description Hironori Bono 2011-06-12 21:03:41 PDT 
(Copied from <http://crbug.com/85744>.)

Chromium: r88647
WebKit: r88523

Run cross_fuzz and you will see the following null deref with a very high probability: 

    #0 0x539988 in WTF::VectorBufferBase<WebCore::LevelDBTransaction::AVLTreeNode*>::capacity() const third_party/WebKit/Source/JavaScriptCore/wtf/Vector.h:313
    #1 0x2e8df98 in WebCore::HTMLTextAreaElement::removeSpellcheckRange(WTF::RefPtr<WebCore::SpellcheckRange>) third_party/WebKit/Source/WebCore/html/HTMLTextAreaElement.cpp:465
    #2 0x3053680 in WebCore::HTMLTextAreaElementInternal::removeSpellcheckRangeCallback(v8::Arguments const&) out/Release/obj/gen/webcore/bindings/V8HTMLDivElement.cpp:92
    #3 0x223a5d8 in HandleApiCallHelper v8/src/builtins.cc:1105

cros_fuzz instructions: 
http://www.chromium.org/developers/testing/fuzzers

From inferno: 
Please file a new bug and assign
it to hbono for high priority null ptr fix (was probably
introduced in http://trac.webkit.org/changeset/88332).
Comment 1 Hironori Bono 2011-06-12 21:14:01 PDT 
Created attachment 96917 [details]
A quick fix with a regression test

Greetings,

I have quickly added null checks to three functions that implements removeSpellcheckRanges() and also a regression test. Is it possible to review this change?

Regards,

Hironori Bono
Comment 2 Hajime Morrita 2011-06-12 21:17:03 PDT 
Comment on attachment 96917 [details]
A quick fix with a regression test

r=me
Comment 3 WebKit Review Bot 2011-06-12 21:55:54 PDT 
Comment on attachment 96917 [details]
A quick fix with a regression test

Clearing flags on attachment: 96917

Committed r88627: <http://trac.webkit.org/changeset/88627>
Comment 4 WebKit Review Bot 2011-06-12 21:55:58 PDT 
All reviewed patches have been landed.  Closing bug.