[Webkit-unassigned] [Bug 31353] New: WebCore::Media::matchMedium NULL pointer

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Nov 11 08:30:49 PST 2009 

https://bugs.webkit.org/show_bug.cgi?id=31353

           Summary: WebCore::Media::matchMedium NULL pointer
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: Media Elements
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: eric at webkit.org


Created an attachment (id=42963)
 --> (https://bugs.webkit.org/attachment.cgi?id=42963)
Repro case

The below HTML causes a NULL pointer in "WebCore::Media::matchMedium"
(WebKit/WebCore/css/Media.cpp):

<IFRAME id="w" src="http://www.google.com"></IFRAME>
<SCRIPT>
  // Get a reference to a window (window.open can also be used instead of an
IFRAME)
  w=document.getElementById("w").contentWindow;
  // Get a reference to the media object
  m=w.media;
  // Navigate the window
  w.location.reload();
  // Wait for the window to navigate and crash
  setTimeout(function () { m.matchMedium(); }, 1000);
</SCRIPT>

Looking at the code, I think that the root cause is that the function relies on
m_window to have a document, which it may not have:

bool Media::matchMedium(const String& query) const
{
    Document* document = m_window->document(); // *** what if this is NULL?
    Frame* frame = m_window->frame();

    CSSStyleSelector* styleSelector = document->styleSelector();
    Element* docElement = document->documentElement();
    if (!styleSelector || !docElement || !frame)
        return false;

    RefPtr<RenderStyle> rootStyle = styleSelector->styleForElement(docElement,
0 /*defaultParent*/, false /*allowSharing*/, true /*resolveForRootDefault*/);
    RefPtr<MediaList> media = MediaList::create();

    ExceptionCode ec = 0;
    media->setMediaText(query, ec);
    if (ec)
        return false;

    MediaQueryEvaluator screenEval(type(), frame, rootStyle.get());
    return screenEval.eval(media.get());
}

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list