RESOLVED WORKSFORME 19537
DOM modification causes Access Violations (NULL pointers?) 
https://bugs.webkit.org/show_bug.cgi?id=19537
Summary DOM modification causes Access Violations (NULL pointers?)
Berend-Jan Wever
Reported 2008-06-13 09:20:52 PDT
I found that the following javascript causes two Access Violations. Both appear to be NULL pointers: <BODY onload="go()"><SCRIPT> function go() { document.body.parentElement.removeChild(document.body); oI=document.createElement('i'); oI.innerHTML='<frameSet></frameSet><u><code><dir><base></dir></code></u><frame></frame><code></code>'; } </SCRIPT></BODY> One of the two AVs happens most often, I think which one happens is based on timing. Please note that at least one of the NULL pointers happens in code that appears to want to call a method in a vtable. Should the NULL value be attacker controlable, this is extremely exploitable. I am assuming it is always NULL and not exploitable.
Attachments
Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2008-06-13 14:53:42 PDT
<rdar://problem/6007119>
Mark Rowe (bdash)
Comment 2 2008-06-13 16:04:16 PDT
In a debug build, this hits the exact same assertion as bug 19536. I suspect it may be the same underlying issue.
Berend-Jan Wever
Comment 3 2010-04-19 09:56:37 PDT
This no longer reproduces, it must have been fixed at some point :)
Alexey Proskuryakov
Comment 4 2010-04-20 12:12:59 PDT
Should we land this as a regression test?
Note You need to log in before you can comment on or make changes to this bug.