[Webkit-unassigned] [Bug 9760] New: Reproducible crash in NamedAttrMapImpl::setNamedItem()

Thu Jul 6 09:26:51 PDT 2006

http://bugzilla.opendarwin.org/show_bug.cgi?id=9760

           Summary: Reproducible crash in NamedAttrMapImpl::setNamedItem()
           Product: WebKit
           Version: 418.x
          Platform: Macintosh PowerPC
               URL: http://browserfun.blogspot.com/2006/07/mobb-5-dhtml-
                    setattributenode.html
        OS/Version: Mac OS X 10.4
            Status: NEW
          Severity: critical
          Priority: P1
         Component: HTML DOM
        AssignedTo: webkit-unassigned at opendarwin.org
        ReportedBy: ddkilzer at kilzer.net
                CC: hyatt at apple.com, mjs at apple.com, darin at apple.com,
                    ggaren at apple.com

Text copied from the blog entry in the URL:

The following bug was tested on the latest version of Safari ( 2.0.4 / 419.3)
on a fully-patched Mac OS X (10.4.7 - Build 8J135) system. This bug was
discovered by Dennis Cox using a modified version of the Hamachi test. This bug
does not trigger using the Konqueror KHTML/KJS engine included with KDE 3.5.1,
even though these products share code.

var a = document.createElement("a");
a.setAttributeNode();

Demonstration
http://metasploit.com/users/hdm/tools/browserfun/mobb_005.html

Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x0000000c

Thread 0 Crashed:
0 com.apple.WebCore DOM::NamedAttrMapImpl::setNamedItem()
1 com.apple.WebCore DOM::Element::setAttributeNodeNS()
2 com.apple.WebCore DOM::Element::setAttributeNode()

This bug will be added to the OSVDB:
Apple Safari DHTML setAttributeNode() NULL Dereference
http://osvdb.org/26838

-- 
Configure bugmail: http://bugzilla.opendarwin.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.