Bug 19537 - DOM modification causes Access Violations (NULL pointers?)
Summary: DOM modification causes Access Violations (NULL pointers?)
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 525.x (Safari 3.1)
Hardware: PC Windows Vista
: P1 Normal
Assignee: Nobody
URL: http://skypher.com/SkyLined/Repro/Saf...
Keywords: InRadar
Depends on:
Reported: 2008-06-13 09:20 PDT by Berend-Jan Wever
Modified: 2010-04-20 12:12 PDT (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2008-06-13 09:20:52 PDT
I found that the following javascript causes two Access Violations. Both appear
to be NULL pointers:

<BODY onload="go()"><SCRIPT>
    function go() {

One of the two AVs happens most often, I think which one happens is based on timing. Please note that at least one of the NULL pointers happens in code that appears to want to call a method in a vtable. Should the NULL value be attacker controlable, this is extremely exploitable. I am assuming it is always NULL and not exploitable.
Comment 1 Mark Rowe (bdash) 2008-06-13 14:53:42 PDT
Comment 2 Mark Rowe (bdash) 2008-06-13 16:04:16 PDT
In a debug build, this hits the exact same assertion as bug 19536.  I suspect it may be the same underlying issue.
Comment 3 Berend-Jan Wever 2010-04-19 09:56:37 PDT
This no longer reproduces, it must have been fixed at some point :)
Comment 4 Alexey Proskuryakov 2010-04-20 12:12:59 PDT
Should we land this as a regression test?