RESOLVED DUPLICATE of bug 33913 Bug 31353
WebCore::Media::matchMedium NULL pointer crash
https://bugs.webkit.org/show_bug.cgi?id=31353
Summary WebCore::Media::matchMedium NULL pointer crash
Berend-Jan Wever
Reported 2009-11-11 08:30:48 PST
Created attachment 42963 [details] Repro case The below HTML causes a NULL pointer in "WebCore::Media::matchMedium" (WebKit/WebCore/css/Media.cpp): <IFRAME id="w" src="http://www.google.com"></IFRAME> <SCRIPT> // Get a reference to a window (window.open can also be used instead of an IFRAME) w=document.getElementById("w").contentWindow; // Get a reference to the media object m=w.media; // Navigate the window w.location.reload(); // Wait for the window to navigate and crash setTimeout(function () { m.matchMedium(); }, 1000); </SCRIPT> Looking at the code, I think that the root cause is that the function relies on m_window to have a document, which it may not have: bool Media::matchMedium(const String& query) const { Document* document = m_window->document(); // *** what if this is NULL? Frame* frame = m_window->frame(); CSSStyleSelector* styleSelector = document->styleSelector(); Element* docElement = document->documentElement(); if (!styleSelector || !docElement || !frame) return false; RefPtr<RenderStyle> rootStyle = styleSelector->styleForElement(docElement, 0 /*defaultParent*/, false /*allowSharing*/, true /*resolveForRootDefault*/); RefPtr<MediaList> media = MediaList::create(); ExceptionCode ec = 0; media->setMediaText(query, ec); if (ec) return false; MediaQueryEvaluator screenEval(type(), frame, rootStyle.get()); return screenEval.eval(media.get()); }
Attachments
Repro case (417 bytes, text/html)
2009-11-11 08:30 PST, Berend-Jan Wever
no flags
Berend-Jan Wever
Comment 1 2009-11-11 08:32:41 PST
Added online repro link
Eric Seidel (no email)
Comment 2 2009-11-11 08:33:40 PST
Thank you for the bug. CCing one of our media folks.
Berend-Jan Wever
Comment 3 2009-11-11 08:35:08 PST
Eric Seidel (no email)
Comment 4 2009-11-11 08:35:54 PST
Actually, different kind of "media" than I initially thought.
Berend-Jan Wever
Comment 5 2010-09-29 06:42:59 PDT
This no longer reproduces in latest Chromium - I assume it has been fixed at some point. My fuzzers should find it again if it is not fixed.
Alexey Proskuryakov
Comment 6 2010-09-29 08:26:50 PDT
*** This bug has been marked as a duplicate of bug 33913 ***
Note You need to log in before you can comment on or make changes to this bug.