WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
19516
DOM modification causes Access Violation (NULL pointer?)
https://bugs.webkit.org/show_bug.cgi?id=19516
Summary
DOM modification causes Access Violation (NULL pointer?)
Berend-Jan Wever
Reported
2008-06-12 04:21:55 PDT
I found that the following javascript causes an Access Violation. This appears to be a NULL pointer: <BODY onload="go()"><SCRIPT> function go() { var oEmbed=document.createElement('embed'); document.body.appendChild(oEmbed); var oEmbed2 = oEmbed.cloneNode(); oEmbed2.appendChild(document.body.parentElement); var oA = document.createElement('a'); document.title = ''; oA.innerHTML = '<x><html></html>'; } </SCRIPT></BODY> Tested with Safari 3.1.1. Marked as security, I'm not sure if you treat DoS as a security issue, so erring on the safe side.
Attachments
Add attachment
proposed patch, testcase, etc.
Berend-Jan Wever
Comment 1
2008-06-13 06:29:15 PDT
Changing priority and security flag
Mark Rowe (bdash)
Comment 2
2008-06-13 14:52:38 PDT
<
rdar://problem/6007111
>
Anders Carlsson
Comment 3
2008-06-25 10:31:53 PDT
Thank you very much for the reduced test case! Committed revision 34795.
Berend-Jan Wever
Comment 4
2008-08-28 09:10:25 PDT
This appears fixed in nightly until you drag and drop the repro URL into Safari twice: (4a8.13c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. WebKit!WebCore::DragController::concludeDrag+0x3a: 00000000`6ccf0cda 8b03 mov eax,dword ptr [ebx] ds:002b:00000000`00000000=???????? This exact same problem can be triggered with
bug 20540
Berend-Jan Wever
Comment 5
2008-08-29 01:29:36 PDT
I opened
bug 20565
to track this new issue.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug