[Webkit-unassigned] [Bug 43040] New: cross_fuzz WebCore::SelectionController::isFocusedAndActive ReadAV at NULL (9e865de49b1800ec790dcc35d8ebd069)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jul 27 04:26:54 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=43040

           Summary: cross_fuzz
                    WebCore::SelectionController::isFocusedAndActive
                    ReadAV at NULL (9e865de49b1800ec790dcc35d8ebd069)
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: HTML DOM
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: eric at webkit.org


Created an attachment (id=62679)
 --> (https://bugs.webkit.org/attachment.cgi?id=62679)
Details

>From analyzing crash details found by the fuzzer described in bug 42959, I seem to have found the following problem:

http://trac.webkit.org/browser/trunk/WebCore/css/CSSStyleSelector.cpp#L2510
2073 bool CSSStyleSelector::SelectorChecker::checkOneSelector(CSSSelector* sel, Element* e,
         HashSet<AtomicStringImpl*>* selectorAttrs, PseudoId& dynamicPseudo, bool isSubSelector,
         RenderStyle* elementStyle, RenderStyle* elementParentStyle) const
2074 {
<snip>
2186        // Normal element pseudo class checking.
2187         switch (sel->pseudoType()) {
<snip>
2509             case CSSSelector::PseudoFocus:
2510                 if (e && e->focused() && e->document()->frame()->selection()->isFocusedAndActive())
2511                    return true;
2512                break;

e->document()->frame()->selection() can be NULL, the code does not take this into consideration.

http://trac.webkit.org/browser/trunk/WebCore/editing/SelectionController.cpp#L1403
1402    bool SelectionController::isFocusedAndActive() const
1403    {
1404        return m_focused && m_frame->page() && m_frame->page()->focusController()->isActive();
1405    }

Trying to read a property of a NULL object causes an access violation.

I've attached the details I extracted automatically using a debugger that helped me track down this issue.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list