[Webkit-unassigned] [Bug 62526] New: Null deref in WebCore::HTMLTextAreaElement::removeSpellcheckRange
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Jun 12 21:03:41 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=62526
Summary: Null deref in
WebCore::HTMLTextAreaElement::removeSpellcheckRange
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Keywords: InChromiumBugs
Severity: Normal
Priority: P2
Component: WebCore Misc.
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: hbono at chromium.org
(Copied from <http://crbug.com/85744>.)
Chromium: r88647
WebKit: r88523
Run cross_fuzz and you will see the following null deref with a very high probability:
#0 0x539988 in WTF::VectorBufferBase<WebCore::LevelDBTransaction::AVLTreeNode*>::capacity() const third_party/WebKit/Source/JavaScriptCore/wtf/Vector.h:313
#1 0x2e8df98 in WebCore::HTMLTextAreaElement::removeSpellcheckRange(WTF::RefPtr<WebCore::SpellcheckRange>) third_party/WebKit/Source/WebCore/html/HTMLTextAreaElement.cpp:465
#2 0x3053680 in WebCore::HTMLTextAreaElementInternal::removeSpellcheckRangeCallback(v8::Arguments const&) out/Release/obj/gen/webcore/bindings/V8HTMLDivElement.cpp:92
#3 0x223a5d8 in HandleApiCallHelper v8/src/builtins.cc:1105
cros_fuzz instructions:
http://www.chromium.org/developers/testing/fuzzers
>From inferno:
Please file a new bug and assign
it to hbono for high priority null ptr fix (was probably
introduced in http://trac.webkit.org/changeset/88332).
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list