RESOLVED FIXED 19516
DOM modification causes Access Violation (NULL pointer?)
https://bugs.webkit.org/show_bug.cgi?id=19516
Summary DOM modification causes Access Violation (NULL pointer?)
Berend-Jan Wever
Reported 2008-06-12 04:21:55 PDT
I found that the following javascript causes an Access Violation. This appears to be a NULL pointer: <BODY onload="go()"><SCRIPT> function go() { var oEmbed=document.createElement('embed'); document.body.appendChild(oEmbed); var oEmbed2 = oEmbed.cloneNode(); oEmbed2.appendChild(document.body.parentElement); var oA = document.createElement('a'); document.title = ''; oA.innerHTML = '<x><html></html>'; } </SCRIPT></BODY> Tested with Safari 3.1.1. Marked as security, I'm not sure if you treat DoS as a security issue, so erring on the safe side.
Attachments
Berend-Jan Wever
Comment 1 2008-06-13 06:29:15 PDT
Changing priority and security flag
Mark Rowe (bdash)
Comment 2 2008-06-13 14:52:38 PDT
Anders Carlsson
Comment 3 2008-06-25 10:31:53 PDT
Thank you very much for the reduced test case! Committed revision 34795.
Berend-Jan Wever
Comment 4 2008-08-28 09:10:25 PDT
This appears fixed in nightly until you drag and drop the repro URL into Safari twice: (4a8.13c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. WebKit!WebCore::DragController::concludeDrag+0x3a: 00000000`6ccf0cda 8b03 mov eax,dword ptr [ebx] ds:002b:00000000`00000000=???????? This exact same problem can be triggered with bug 20540
Berend-Jan Wever
Comment 5 2008-08-29 01:29:36 PDT
I opened bug 20565 to track this new issue.
Note You need to log in before you can comment on or make changes to this bug.