Bug 63885

Summary: Null deref accessing CustomEvent.detail
Product: WebKit Reporter: Sam Weinig <sam>
Component: DOMAssignee: Sam Weinig <sam>
Status: RESOLVED FIXED    
Severity: Normal Keywords: EasyFix, InRadar
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch andersca: review+

Description Sam Weinig 2011-07-03 20:21:09 PDT 
The ScriptValue m_detail in the CustomEvent class is initialized to null (rather than jsNull()) which can lead to a null deref if it is access before calling initCustomEvent.

javascript:alert(document.createEvent("CustomEvent").detail) should do the trick.
Comment 1 Alexey Proskuryakov 2011-07-03 23:34:06 PDT 
It does, it does! Repro crash -> P1
Comment 2 Sam Weinig 2011-07-05 13:07:48 PDT 
Created attachment 99737 [details]
Patch
Comment 3 Sam Weinig 2011-07-05 13:09:42 PDT 
<rdar://problem/9724577>
Comment 4 Sam Weinig 2011-07-05 13:51:12 PDT 
Committed r90405: <http://trac.webkit.org/changeset/90405>