33913 – Crash under Media::matchMedium in detached frame

Bug 33913 - Crash under Media::matchMedium in detached frame

Summary: Crash under Media::matchMedium in detached frame

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore JavaScript (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P2 Normal
Assignee:	Alexey Proskuryakov

URL:
Keywords:

Duplicates (1):	31353 (view as bug list)
Depends on:
Blocks:	29692
	Show dependency tree / graph

Reported:	2010-01-20 10:41 PST by Alexey Proskuryakov
Modified:	2010-09-29 08:26 PDT (History)
CC List:	1 user (show)

See Also:

Attachments
proposed fix (8.57 KB, patch) 2010-01-20 10:56 PST, Alexey Proskuryakov	simon.fraser: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexey Proskuryakov 2010-01-20 10:41:10 PST

Caught this with DOM Fuzzer. I have a reduction that crashes in a slightly different manner, but in both cases, it's a null dereference due to null m_window->document().

Comment 1 Alexey Proskuryakov 2010-01-20 10:56:04 PST

Created attachment 47048 [details]
proposed fix

Comment 2 Alexey Proskuryakov 2010-01-20 11:01:27 PST

Committed revision 53555.

Comment 3 Alexey Proskuryakov 2010-08-09 06:34:07 PDT

> Removed null check for document element - every document has one.

Untrue, see bug 31353.

Comment 4 Alexey Proskuryakov 2010-09-29 08:26:03 PDT

I guess I meant bug 43677.

Comment 5 Alexey Proskuryakov 2010-09-29 08:26:50 PDT

*** Bug 31353 has been marked as a duplicate of this bug. ***