[Webkit-unassigned] [Bug 29873] Use after free in XHR and/or JS error handler
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Feb 26 12:49:19 PST 2010
https://bugs.webkit.org/show_bug.cgi?id=29873
SkyLined <skylined at chromium.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WORKSFORME
--- Comment #11 from SkyLined <skylined at chromium.org> 2010-02-26 12:49:19 PST ---
I've reduced the test case to this:
<HTML>
<SCRIPT src="?"></SCRIPT>
<SCRIPT>
try {
throw 0;
} catch (e) {
showModalDialog('javascript:window.close();', this.url);
location.reload();
}
</SCRIPT>
</HTML>
Available at:
http://skypher.com/SkyLined/Repro/Safari/WebKit%2029873%20-%20xmlhttperror_use_after_free/repro2.html
It does not require XMLHttpRequest at all; it requires a script tag, a caught
exception and a popup window. The location.reload() is there to cause the
corrupted memory to crash the browser - I think the corruption happens before
that.
Tested with 4.0 (530.17) on Windows Vista x64: crash. I installed the more
recent 4.0.4 over 4.0 on the same machine: no crash.
Tested with 3.2 (525.26.13) on Windows XP x86: no crash.
Tested with 4.0.4 (531.21.10) on Windows XP x86: no crash.
So it may have been my install or that particular version of Safari/WebKit. It
appears that it has magically been fixed, so I am closing this bug (assuming
you are actively pushing the updated version of Safari to users).
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list