Bug 19516 - DOM modification causes Access Violation (NULL pointer?)
Summary: DOM modification causes Access Violation (NULL pointer?)
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 525.x (Safari 3.1)
Hardware: PC Windows Vista
: P1 Normal
Assignee: Nobody
URL: http://skypher.com/SkyLined/Repro/Saf...
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2008-06-12 04:21 PDT by Berend-Jan Wever
Modified: 2008-08-29 01:29 PDT (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2008-06-12 04:21:55 PDT
I found that the following javascript causes an Access Violation. This appears to be a NULL pointer:

<BODY onload="go()"><SCRIPT>
    function go() {
        var oEmbed=document.createElement('embed');
        document.body.appendChild(oEmbed);
        var oEmbed2 = oEmbed.cloneNode();
        oEmbed2.appendChild(document.body.parentElement);
        var oA = document.createElement('a');
        document.title = '';
        oA.innerHTML = '<x><html></html>';
    }
</SCRIPT></BODY>

Tested with Safari 3.1.1.

Marked as security, I'm not sure if you treat DoS as a security issue, so
erring on the safe side.
Comment 1 Berend-Jan Wever 2008-06-13 06:29:15 PDT
Changing priority and security flag
Comment 2 Mark Rowe (bdash) 2008-06-13 14:52:38 PDT
<rdar://problem/6007111>
Comment 3 Anders Carlsson 2008-06-25 10:31:53 PDT
Thank you very much for the reduced test case!

Committed revision 34795.
Comment 4 Berend-Jan Wever 2008-08-28 09:10:25 PDT
This appears fixed in nightly until you drag and drop the repro URL into Safari twice:

(4a8.13c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
WebKit!WebCore::DragController::concludeDrag+0x3a:
00000000`6ccf0cda 8b03            mov     eax,dword ptr [ebx] ds:002b:00000000`00000000=????????

This exact same problem can be triggered with bug 20540
Comment 5 Berend-Jan Wever 2008-08-29 01:29:36 PDT
I opened bug 20565 to track this new issue.