RESOLVED FIXED 45621
isParsingFragment assert hit in new treebuilder 
https://bugs.webkit.org/show_bug.cgi?id=45621
Summary isParsingFragment assert hit in new treebuilder
Abhishek Arya
Reported 2010-09-12 14:30:02 PDT
Created attachment 67345 [details] Testcase found in my layouttest fuzzing. Also credit to Cris Neckar, from whose html fuzzer i took some ideas from. This is the second most hit assert,crash in my fuzzing after bug 45570. Reduced Testcase: <kbd><table></kbd><col><select><tr> In HTMLTreeBuilder::resetInsertionModeAppropriately(), this assert is hit first. Then we pick up m_fragmentContext.contextElement() which comes out as null, which causes node to be null and crashes in the if statement. I am not sure if this can trigger memory corruption. So filed with security tags. ASSERT(isParsingFragment()); last = true; node = m_fragmentContext.contextElement(); } if (node->hasTagName(selectTag)) { Eric, Adam, if you think it cannot have security consequences, please feel free to remove the tags.
Attachments
Testcase (35 bytes, text/html)
2010-09-12 14:30 PDT, Abhishek Arya 		no flags
Details
test cases (873 bytes, patch)
2010-09-12 16:27 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
Patch (5.11 KB, patch)
2010-09-12 16:47 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
Patch (5.06 KB, patch)
2010-09-12 16:50 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2010-09-12 16:25:44 PDT
This is a bug in the spec: http://www.w3.org/Bugs/Public/show_bug.cgi?id=10617
Adam Barth
Comment 2 2010-09-12 16:27:16 PDT
Created attachment 67346 [details] test cases
Adam Barth
Comment 3 2010-09-12 16:47:53 PDT
Created attachment 67348 [details] Patch
Adam Barth
Comment 4 2010-09-12 16:50:56 PDT
Created attachment 67349 [details] Patch
Eric Seidel (no email)
Comment 5 2010-09-12 16:56:19 PDT
Comment on attachment 67349 [details] Patch LGTM.
Eric Seidel (no email)
Comment 6 2010-09-12 16:56:33 PDT
I don't believe this is security sensitive and can be unmarked as such.
WebKit Commit Bot
Comment 7 2010-09-12 17:43:10 PDT
Comment on attachment 67349 [details] Patch Clearing flags on attachment: 67349 Committed r67356: <http://trac.webkit.org/changeset/67356>
WebKit Commit Bot
Comment 8 2010-09-12 17:43:15 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.