The HTMLImageElement can be set to a non empty image source URL but the ImageLoader::updateFromElement() makes an early return before creating a CachedImage. If ImageLoader::decode() is called in this case, ImageLoader::m_image will be null and a crash will happen.
<rdar://problem/34634483>
Created attachment 328414 [details] Patch
Comment on attachment 328414 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=328414&action=review > Source/WebCore/ChangeLog:8 > + Ensure ImageLoader::m_image is not null before referencing it. Did this regress? Do you know when? Do you know how to reproduce? Can you write a test?
Comment on attachment 328414 [details] Patch Yeah, this needs a test.
Created attachment 330788 [details] Patch
Created attachment 330789 [details] test case: decoding an image with an invalid URL (will crash)
Comment on attachment 330788 [details] Patch Clearing flags on attachment: 330788 Committed r226638: <https://trac.webkit.org/changeset/226638>
All reviewed patches have been landed. Closing bug.