[Webkit-unassigned] [Bug 49331] New: chrome.dll!WebCore::SVGLengthInternal::valueInSpecifiedUnitsAttrGetter ReadAV at NULL (4cf97a4f3ebe8006a2f5ffcc5bc10aeb)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Nov 10 11:12:31 PST 2010


https://bugs.webkit.org/show_bug.cgi?id=49331

           Summary: chrome.dll!WebCore::SVGLengthInternal::valueInSpecifie
                    dUnitsAttrGetter ReadAV at NULL
                    (4cf97a4f3ebe8006a2f5ffcc5bc10aeb)
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
               URL: http://code.google.com/p/chromium/issues/detail?id=627
                    13
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: SVG
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: eric at webkit.org, zimmermann at kde.org,
                    mdelaney at apple.com


Created an attachment (id=73514)
 --> (https://bugs.webkit.org/attachment.cgi?id=73514&action=review)
Repro

Repro:
<script>
  var oSVGPolygon = document.createElementNS("http://www.w3.org/2000/svg", "polygon");
  var oSVGPath = document.createElementNS("http://www.w3.org/2000/svg", "path");
  var oSVGPoint1 = oSVGPath.getPointAtLength();
  oSVGPolygon.points.initialize(oSVGPoint1);
  oSVGPolygon.points.removeItem(-9223372036854775802);
  console.log(oSVGPoint1.x);
  location.reload();
</script>

This is a reduced repro for a case in which I've seen various NULL pointers and it looks similar to issue 61576, so marking as security..
This does not repro in stable Chrome, so it was probably recently introduced.

id:             chrome.dll!WebCore::SVGLengthInternal::valueInSpecifiedUnitsAttrGetter ReadAV at NULL (4cf97a4f3ebe8006a2f5ffcc5bc10aeb)
description:    Attempt to read from unallocated NULL pointer in chrome.dll!WebCore::SVGLengthInternal::valueInSpecifiedUnitsAttrGetter
application:    Chromium 9.0.579.0
stack:          chrome.dll!WebCore::SVGLengthInternal::valueInSpecifiedUnitsAttrGetter
                chrome.dll!v8::internal::Object::GetPropertyWithCallback
                chrome.dll!v8::internal::Object::GetProperty
                chrome.dll!v8::internal::LoadIC::Load
                chrome.dll!v8::internal::LoadIC_Miss
                chrome.dll!v8::internal::Invoke
                chrome.dll!v8::internal::Execution::Call
                ...

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list