[Webkit-unassigned] [Bug 33802] New: WebCore::RenderMenuList::setText ExecAV at Arbitrary (fe810d95ab2c1eef13e951397ed944ce)

Mon Jan 18 09:07:07 PST 2010

https://bugs.webkit.org/show_bug.cgi?id=33802

           Summary: WebCore::RenderMenuList::setText ExecAV at Arbitrary
                    (fe810d95ab2c1eef13e951397ed944ce)
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Severity: Critical
          Priority: P1
         Component: HTML DOM
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: eric at webkit.org

Created an attachment (id=46828)
 --> (https://bugs.webkit.org/attachment.cgi?id=46828)
Repro

I found what seems to be some form of memory corruption in WebKit.

Repro:
1) Go to http://www.nshispeed.nl/
2) If you see a popup in the middle of the screen with the word "Blauw", 
click "Nee" to get rid of it.
2) Click "English" at the top of the page (not required, but makes it 
easier to explain how to repro).
3) In the middle of the page there should be a purple box with two input boxes.
Select either one and type "Parijs".
4) Click on the magnifying glass icon next to the input box.
5) A new popup should show up with two pull-down selection boxes. Choose 
"Frankrijk" in the top one and "Paris Nord" in the bottom one.
6) Click "bevestig" -> KABOOM.

I tried to create a reduced repro, but this only triggers a NULL pointer in
WebCore::RenderMenuList::setText. However, I expect the root cause is the same:

<SELECT onchange="location.reload()">
  <OPTION>A</OPTION>
  <OPTION>B</OPTION>
</SELECT>

Open a HTML file with that contents in Chromium, click on the SELECT box, type
"B", press ENTER -> KaBOOM.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.