RESOLVED FIXED 62526
Null deref in WebCore::HTMLTextAreaElement::removeSpellcheckRange
https://bugs.webkit.org/show_bug.cgi?id=62526
Summary Null deref in WebCore::HTMLTextAreaElement::removeSpellcheckRange
Hironori Bono
Reported 2011-06-12 21:03:41 PDT
(Copied from <http://crbug.com/85744>.) Chromium: r88647 WebKit: r88523 Run cross_fuzz and you will see the following null deref with a very high probability: #0 0x539988 in WTF::VectorBufferBase<WebCore::LevelDBTransaction::AVLTreeNode*>::capacity() const third_party/WebKit/Source/JavaScriptCore/wtf/Vector.h:313 #1 0x2e8df98 in WebCore::HTMLTextAreaElement::removeSpellcheckRange(WTF::RefPtr<WebCore::SpellcheckRange>) third_party/WebKit/Source/WebCore/html/HTMLTextAreaElement.cpp:465 #2 0x3053680 in WebCore::HTMLTextAreaElementInternal::removeSpellcheckRangeCallback(v8::Arguments const&) out/Release/obj/gen/webcore/bindings/V8HTMLDivElement.cpp:92 #3 0x223a5d8 in HandleApiCallHelper v8/src/builtins.cc:1105 cros_fuzz instructions: http://www.chromium.org/developers/testing/fuzzers From inferno: Please file a new bug and assign it to hbono for high priority null ptr fix (was probably introduced in http://trac.webkit.org/changeset/88332).
Attachments
A quick fix with a regression test (5.41 KB, patch)
2011-06-12 21:14 PDT, Hironori Bono
no flags
Hironori Bono
Comment 1 2011-06-12 21:14:01 PDT
Created attachment 96917 [details] A quick fix with a regression test Greetings, I have quickly added null checks to three functions that implements removeSpellcheckRanges() and also a regression test. Is it possible to review this change? Regards, Hironori Bono
Hajime Morrita
Comment 2 2011-06-12 21:17:03 PDT
Comment on attachment 96917 [details] A quick fix with a regression test r=me
WebKit Review Bot
Comment 3 2011-06-12 21:55:54 PDT
Comment on attachment 96917 [details] A quick fix with a regression test Clearing flags on attachment: 96917 Committed r88627: <http://trac.webkit.org/changeset/88627>
WebKit Review Bot
Comment 4 2011-06-12 21:55:58 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.