RESOLVED WORKSFORME 19536
DOM modification causes Access Violation (NULL pointer?) 
https://bugs.webkit.org/show_bug.cgi?id=19536
Summary DOM modification causes Access Violation (NULL pointer?)
Berend-Jan Wever
Reported 2008-06-13 08:34:51 PDT
I found that the following javascript causes an Access Violation. This appears to be a NULL pointer: <BODY onload="go()"><SCRIPT> function go() { document.body.parentElement.innerHTML=''; oMarquee=document.createElement('marquee'); oMarquee.innerHTML='<frameSet></frameSet><colGroup></colGroup><em><label><meta></label></em><frameSet></frameSet>'; } </SCRIPT></BODY> Tested with Safari 3.1.1. Please note the NULL pointer happens in code that appears to want to call a method in a vtable. Should the NULL value be attacker controlable, this is extremely exploitable. I am assuming it is always NULL and not exploitable.
Attachments
Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2008-06-13 14:53:46 PDT
<rdar://problem/6007120>
Berend-Jan Wever
Comment 2 2010-04-19 09:55:32 PDT
This no longer reproduces - it must have been fixed at some point :)
Alexey Proskuryakov
Comment 3 2010-04-20 12:12:01 PDT
Should we land this as a regression test?
Note You need to log in before you can comment on or make changes to this bug.