Created attachment 42963 [details] Repro case The below HTML causes a NULL pointer in "WebCore::Media::matchMedium" (WebKit/WebCore/css/Media.cpp): <IFRAME id="w" src="http://www.google.com"></IFRAME> <SCRIPT> // Get a reference to a window (window.open can also be used instead of an IFRAME) w=document.getElementById("w").contentWindow; // Get a reference to the media object m=w.media; // Navigate the window w.location.reload(); // Wait for the window to navigate and crash setTimeout(function () { m.matchMedium(); }, 1000); </SCRIPT> Looking at the code, I think that the root cause is that the function relies on m_window to have a document, which it may not have: bool Media::matchMedium(const String& query) const { Document* document = m_window->document(); // *** what if this is NULL? Frame* frame = m_window->frame(); CSSStyleSelector* styleSelector = document->styleSelector(); Element* docElement = document->documentElement(); if (!styleSelector || !docElement || !frame) return false; RefPtr<RenderStyle> rootStyle = styleSelector->styleForElement(docElement, 0 /*defaultParent*/, false /*allowSharing*/, true /*resolveForRootDefault*/); RefPtr<MediaList> media = MediaList::create(); ExceptionCode ec = 0; media->setMediaText(query, ec); if (ec) return false; MediaQueryEvaluator screenEval(type(), frame, rootStyle.get()); return screenEval.eval(media.get()); }
Added online repro link
Thank you for the bug. CCing one of our media folks.
Chrome tracking bug: http://code.google.com/p/chromium/issues/detail?id=27386
Actually, different kind of "media" than I initially thought.
This no longer reproduces in latest Chromium - I assume it has been fixed at some point. My fuzzers should find it again if it is not fixed.
*** This bug has been marked as a duplicate of bug 33913 ***