Bug 19537 - DOM modification causes Access Violations (NULL pointers?)
Summary: DOM modification causes Access Violations (NULL pointers?)
Status: RESOLVED WORKSFORME
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 525.x (Safari 3.1)
Hardware: PC Windows Vista
: P1 Normal
Assignee: Nobody
URL: http://skypher.com/SkyLined/Repro/Saf...
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2008-06-13 09:20 PDT by Berend-Jan Wever
Modified: 2010-04-20 12:12 PDT (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2008-06-13 09:20:52 PDT 
I found that the following javascript causes two Access Violations. Both appear
to be NULL pointers:

<BODY onload="go()"><SCRIPT>
    function go() {
        document.body.parentElement.removeChild(document.body);
        oI=document.createElement('i');
        oI.innerHTML='<frameSet></frameSet><u><code><dir><base></dir></code></u><frame></frame><code></code>';
    }
</SCRIPT></BODY>

One of the two AVs happens most often, I think which one happens is based on timing. Please note that at least one of the NULL pointers happens in code that appears to want to call a method in a vtable. Should the NULL value be attacker controlable, this is extremely exploitable. I am assuming it is always NULL and not exploitable.
Comment 1 Mark Rowe (bdash) 2008-06-13 14:53:42 PDT 
<rdar://problem/6007119>
Comment 2 Mark Rowe (bdash) 2008-06-13 16:04:16 PDT 
In a debug build, this hits the exact same assertion as bug 19536.  I suspect it may be the same underlying issue.
Comment 3 Berend-Jan Wever 2010-04-19 09:56:37 PDT 
This no longer reproduces, it must have been fixed at some point :)
Comment 4 Alexey Proskuryakov 2010-04-20 12:12:59 PDT 
Should we land this as a regression test?