Bug 72222 - REGRESSION(99849): NULL-deref in updateLastMediaLine when parsing some media-queries
Summary: REGRESSION(99849): NULL-deref in updateLastMediaLine when parsing some media-...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: CSS (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Julien Chaffraix
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-11-12 17:06 PST by Julien Chaffraix
Modified: 2011-11-13 09:43 PST (History)
4 users (show)

See Also:

Attachments
Proposed fix: extend the NULL-check. Reduced test case from our top-most crashers as test-case. (3.46 KB, patch)
2011-11-12 17:20 PST, Julien Chaffraix 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Julien Chaffraix 2011-11-12 17:06:41 PST 
Seems like r99849 missed a code path in CSSGrammar.y:

CSSParser* p = static_cast<CSSParser*>(parser);
if ($$)
    $$->appendMediaQuery(p->sinkFloatingMediaQuery($4));
p->updateLastMediaLine($$);

($$ can be null and we would crash in updateLastMediaLine)

I had some bandwidth today so I reduced the crashes seen in the wild and came up with a small patch. I will attach it shortly.
Comment 1 Julien Chaffraix 2011-11-12 17:20:04 PST 
Created attachment 114848 [details]
Proposed fix: extend the NULL-check. Reduced test case from our top-most crashers as test-case.
Comment 2 WebKit Review Bot 2011-11-13 09:43:46 PST 
Comment on attachment 114848 [details]
Proposed fix: extend the NULL-check. Reduced test case from our top-most crashers as test-case.

Clearing flags on attachment: 114848

Committed r100092: <http://trac.webkit.org/changeset/100092>
Comment 3 WebKit Review Bot 2011-11-13 09:43:50 PST 
All reviewed patches have been landed.  Closing bug.