Bug 43139 - cross_fuzz window.styleMedia.matchMedium() NULL pointer with open document
Summary: cross_fuzz window.styleMedia.matchMedium() NULL pointer with open document
Status: RESOLVED DUPLICATE of bug 43677
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows Vista
: P1 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks: 42959
  Show dependency treegraph
 
Reported: 2010-07-28 12:49 PDT by Berend-Jan Wever
Modified: 2010-08-07 14:50 PDT (History)
4 users (show)

See Also:


Attachments
Repro case (65 bytes, text/html)
2010-07-28 12:49 PDT, Berend-Jan Wever
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2010-07-28 12:49:37 PDT
Created attachment 62863 [details]
Repro case

Found as part of cross_fuzz investigation
Repro:
  <body onload="document.open();window.styleMedia.matchMedium();">

id:             WebCore::CSSStyleSelector::styleForElement ReadAV@NULL (dc7b32067c1b2c657a6337dd1beb1998)
description:    Attempt to read from NULL pointer (+0x24) in WebCore::CSSStyleSelector::styleForElement
stack:          WebCore::CSSStyleSelector::styleForElement
                WebCore::StyleMedia::matchMedium
                WebCore::StyleMediaInternal::matchMediumCallback
                v8::internal::HandleApiCallHelper<...>
                v8::internal::Builtin_HandleApiCall
                v8::internal::Invoke
                v8::internal::Execution::Call
                ...
Comment 1 Berend-Jan Wever 2010-08-05 02:02:40 PDT
Another similar crash, which does not appear to affect latest Chromium:
<body onload="document.write();window.media.matchMedium();">
Comment 2 Adam Barth 2010-08-07 14:50:46 PDT

*** This bug has been marked as a duplicate of bug 43677 ***