Created attachment 67345 [details] Testcase found in my layouttest fuzzing. Also credit to Cris Neckar, from whose html fuzzer i took some ideas from. This is the second most hit assert,crash in my fuzzing after bug 45570. Reduced Testcase: <kbd><table></kbd><col><select><tr> In HTMLTreeBuilder::resetInsertionModeAppropriately(), this assert is hit first. Then we pick up m_fragmentContext.contextElement() which comes out as null, which causes node to be null and crashes in the if statement. I am not sure if this can trigger memory corruption. So filed with security tags. ASSERT(isParsingFragment()); last = true; node = m_fragmentContext.contextElement(); } if (node->hasTagName(selectTag)) { Eric, Adam, if you think it cannot have security consequences, please feel free to remove the tags.
This is a bug in the spec: http://www.w3.org/Bugs/Public/show_bug.cgi?id=10617
Created attachment 67346 [details] test cases
Created attachment 67348 [details] Patch
Created attachment 67349 [details] Patch
Comment on attachment 67349 [details] Patch LGTM.
I don't believe this is security sensitive and can be unmarked as such.
Comment on attachment 67349 [details] Patch Clearing flags on attachment: 67349 Committed r67356: <http://trac.webkit.org/changeset/67356>
All reviewed patches have been landed. Closing bug.