Bug 31684 - WebCore::Range::surroundContents NULL pointer crash
Summary: WebCore::Range::surroundContents NULL pointer crash
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P1 Normal
Assignee: Nobody
URL: http://skypher.com/SkyLined/Repro/Web...
Keywords:
Depends on:
Blocks:
 
Reported: 2009-11-19 13:54 PST by Berend-Jan Wever
Modified: 2019-02-06 09:03 PST (History)
6 users (show)

See Also:

Attachments
Repro (200 bytes, text/html)
2009-11-19 13:54 PST, Berend-Jan Wever 		no flags Details
patch v1 (3.64 KB, patch)
2009-12-19 00:37 PST, MORITA Hajime 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2009-11-19 13:54:16 PST 
Created attachment 43520 [details]
Repro

The following HTML triggers a NULL pointer in "WebCore::Range::surroundContents":

<SCRIPT>
  range=document.createRange();
  text=document.createTextNode('');
  range.selectNodeContents(text);
  element=document.createElement("l");
  range.surroundContents(element);
</SCRIPT>

Relevant call stack (in Chromium):
WebCore::Range::surroundContents(class WTF::PassRefPtr<WebCore::Node> passNewParent = class WTF::PassRefPtr<WebCore::Node>, int * ec = 0x0012f220)+0x113
WebCore::RangeInternal::surroundContentsCallback(class v8::Arguments * args = 0x00000000)+0xac
Comment 1 Berend-Jan Wever 2009-11-19 13:57:11 PST 
Added online repro URL
Comment 2 MORITA Hajime 2009-12-19 00:37:50 PST 
Created attachment 45226 [details]
patch v1
Comment 3 MORITA Hajime 2009-12-19 00:40:10 PST 
Added NULL guard null throws exception.
Note that Firefox also throws an exception (NS_ERROR_UNEXPECTED) in the case.
Comment 4 WebKit Review Bot 2009-12-19 00:42:22 PST 
style-queue ran check-webkit-style on attachment 45226 [details] without any errors.
Comment 5 WebKit Commit Bot 2009-12-19 10:30:50 PST 
Comment on attachment 45226 [details]
patch v1

Clearing flags on attachment: 45226

Committed r52388: <http://trac.webkit.org/changeset/52388>
Comment 6 WebKit Commit Bot 2009-12-19 10:30:55 PST 
All reviewed patches have been landed.  Closing bug.
Comment 7 Lucas Forschler 2019-02-06 09:03:11 PST 
Mass moving XML DOM bugs to the "DOM" Component.