[Webkit-unassigned] [Bug 44610] New: Malformed SVG causes crash in Safari and Google Chrome
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Aug 25 07:31:48 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=44610
Summary: Malformed SVG causes crash in Safari and Google Chrome
Product: WebKit
Version: 528+ (Nightly build)
Platform: Macintosh
OS/Version: Mac OS X 10.6
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: SVG
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: brondaire at gmail.com
CC: zimmermann at kde.org
Created an attachment (id=65416)
--> (https://bugs.webkit.org/attachment.cgi?id=65416)
Viewing the attached SVG crashes Safari/Chrome
Opening the attached SVG file causes crashes both in Safari and Google Chrome. Quick stack trace from OS X 10.6.5 (10H529), Safari Version 5.0.1 (6533.17.8) follows:
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
0x00007fff8714d312 in WebCore::updateContainerOffset ()
(gdb) bt
#0 0x00007fff8714d312 in WebCore::updateContainerOffset ()
#1 0x00007fff8714d2d8 in WebCore::updateContainerOffset ()
#2 0x00007fff8714d2d8 in WebCore::updateContainerOffset ()
#3 0x00007fff8714d2d8 in WebCore::updateContainerOffset ()
#4 0x00007fff8714d2d8 in WebCore::updateContainerOffset ()
#5 0x00007fff8714d2d8 in WebCore::updateContainerOffset ()
#6 0x00007fff8714d2d8 in WebCore::updateContainerOffset ()
#7 0x00007fff8714d2d8 in WebCore::updateContainerOffset ()
#8 0x00007fff8714d0f0 in WebCore::SVGUseElement::updateContainerOffsets ()
#9 0x00007fff8714bf3a in WebCore::SVGUseElement::buildShadowAndInstanceTree ()
#10 0x00007fff8714b709 in WebCore::RenderSVGShadowTreeRootContainer::updateFromElement ()
#11 0x00007fff86bf07d1 in WebCore::ContainerNode::dispatchPostAttachCallbacks ()
#12 0x00007fff86ae25ff in WebCore::ContainerNode::resumePostAttachCallbacks ()
#13 0x00007fff86ae85ed in WebCore::Element::attach ()
#14 0x00007fff86c31be4 in WebCore::ContainerNode::appendChild ()
#15 0x00007fff86d62732 in WebCore::XMLTokenizer::insertErrorMessageBlock ()
#16 0x00007fff86bbdb68 in WebCore::XMLTokenizer::end ()
#17 0x00007fff86ad05f2 in WebCore::DocumentWriter::endIfNotLoadingMainResource ()
#18 0x00007fff86b899ab in WebCore::FrameLoader::finishedLoading ()
#19 0x00007fff86b898f0 in WebCore::MainResourceLoader::didFinishLoading ()
#20 0x00007fff8249938c in _NSURLConnectionDidFinishLoading ()
#21 0x00007fff80206646 in URLConnectionClient::_clientDidFinishLoading ()
#22 0x00007fff8026bd16 in URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload ()
#23 0x00007fff8026bf82 in URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload ()
#24 0x00007fff801f2cbf in URLConnectionClient::processEvents ()
#25 0x00007fff801f2a9c in MultiplexerSource::perform ()
#26 0x00007fff8179c5f1 in __CFRunLoopDoSources0 ()
#27 0x00007fff8179a7e9 in __CFRunLoopRun ()
#28 0x00007fff81799faf in CFRunLoopRunSpecific ()
#29 0x00007fff8503991a in RunCurrentEventLoopInMode ()
#30 0x00007fff8503971f in ReceiveNextEventCommon ()
#31 0x00007fff850395d8 in BlockUntilNextEventMatchingListInMode ()
#32 0x00007fff83ff3e64 in _DPSNextEvent ()
#33 0x00007fff83ff37a9 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#34 0x0000000100015938 in ?? ()
#35 0x00007fff83fb948b in -[NSApplication run] ()
#36 0x00007fff83fb21a8 in NSApplicationMain ()
#37 0x0000000100009804 in ?? ()
Does not appear to be exploitable.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list