Bug 19517 - DOM modification of textArea causes Access Violation (NULL pointer?)
Summary: DOM modification of textArea causes Access Violation (NULL pointer?)
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 525.x (Safari 3.1)
Hardware: All All
: P1 Normal
Assignee: Alexey Proskuryakov
URL: http://skypher.com/SkyLined/Repro/Saf...
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2008-06-12 04:24 PDT by Berend-Jan Wever
Modified: 2009-05-21 05:35 PDT (History)
0 users

See Also:


Attachments
proposed patch (2.26 KB, patch)
2009-05-20 03:32 PDT, Alexey Proskuryakov
darin: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2008-06-12 04:24:58 PDT
I found that the following javascript causes an Access Violation. This appears
to be a NULL pointer:

<BODY onload="go()"><SCRIPT>
    function go() {
        document.body.parentElement.removeChild(document.body);
        o = document.createElement("textArea");
        o.innerHTML='<b><menu><link></b><head></head>x';
    }
</SCRIPT></BODY>

Tested with Safari 3.1.1.

Marked as security, I'm not sure if you treat DoS as a security issue, so
erring on the safe side.
Comment 1 Berend-Jan Wever 2008-06-13 06:29:21 PDT
Changing priority and security flag
Comment 2 Mark Rowe (bdash) 2008-06-13 14:52:41 PDT
<rdar://problem/6007112>
Comment 3 Arvind 2009-05-19 23:13:13 PDT
Hi,
I am trying to analyse this bug.But when I open the safari window in debug mode I am not able to reproduce this scenario.Is there a solution to reproduce this scenario in debug mode as well ?
Comment 4 Alexey Proskuryakov 2009-05-20 03:25:37 PDT
I cannot reproduce this with nightlies either (but I can reproduce with Safari 3.2.3).
Comment 5 Alexey Proskuryakov 2009-05-20 03:32:14 PDT
Created attachment 30503 [details]
proposed patch

So, let's just add a test.
Comment 6 Alexey Proskuryakov 2009-05-21 05:35:18 PDT
Test committed r43966.