[Webkit-unassigned] [Bug 43722] New: cross_fuzz WebCore::RenderBlock::addChild* NULL ptrs

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Aug 9 08:26:03 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=43722

           Summary: cross_fuzz WebCore::RenderBlock::addChild* NULL ptrs
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: HTML DOM
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: eric at webkit.org
            Blocks: 42959


Created an attachment (id=63895)
 --> (https://bugs.webkit.org/attachment.cgi?id=63895)
Repro

The following code triggers a NULL ptr in Chromium latest:
<html>
  <head>
    <style>
      :before{
        content:""
      };
    </style>
  </head>
  <body onload="document.linkColor=0;">
    <ruby>
      <rt></rt>
    </ruby>
  </body>
</html>

id:             WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks ReadAV at NULL (8861963c2158cde00d41e1ee9baea2f1)
description:    Attempt to read from NULL pointer (+0xC) in WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks
signatures:     Function: WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks
                Basic signature: WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks(...)-2D824F8
stack:          WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks
                WebCore::RenderBlock::addChildIgnoringContinuation
                WebCore::RenderBlock::addChild
                WebCore::RenderRubyRun::addChild
                WebCore::RenderRubyAsInline::addChild
                WebCore::RenderObjectChildList::updateBeforeAfterContent
                WebCore::RenderInline::styleDidChange
                WebCore::RenderObject::setStyle
                WebCore::RenderObject::setAnimatableStyle
                WebCore::Node::setRenderStyle
                WebCore::Element::recalcStyle
                WebCore::Element::recalcStyle
                WebCore::Element::recalcStyle
                WebCore::Document::recalcStyle
                WebCore::StyledElement::attributeChanged
                WebCore::NamedNodeMap::addAttribute
                WebCore::Element::setAttribute
                WebCore::Element::setAttribute
                WebCore::HTMLBodyElement::setLink
                WebCore::HTMLDocument::setLinkColor
                WebCore::HTMLDocumentInternal::linkColorAttrSetter
                v8::internal::JSObject::SetPropertyWithCallback
                v8::internal::JSObject::SetProperty
                v8::internal::JSObject::SetPropertyPostInterceptor
                v8::internal::JSObject::SetPropertyWithInterceptor
                v8::internal::JSObject::SetProperty
                v8::internal::JSObject::SetProperty
                v8::internal::StoreIC::Store
                v8::internal::StoreIC_Miss
                v8::internal::Invoke
                v8::internal::Execution::Call
                ...

During fuzzzing, I have seen NULL ptr crashes two levels up the stack as well, in Renderblock::AddChild. I expect the cause is the same.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list