[Webkit-unassigned] [Bug 62526] New: Null deref in WebCore::HTMLTextAreaElement::removeSpellcheckRange

Sun Jun 12 21:03:41 PDT 2011

https://bugs.webkit.org/show_bug.cgi?id=62526

           Summary: Null deref in
                    WebCore::HTMLTextAreaElement::removeSpellcheckRange
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Keywords: InChromiumBugs
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: hbono at chromium.org


(Copied from <http://crbug.com/85744>.)

Chromium: r88647
WebKit: r88523

Run cross_fuzz and you will see the following null deref with a very high probability: 

    #0 0x539988 in WTF::VectorBufferBase<WebCore::LevelDBTransaction::AVLTreeNode*>::capacity() const third_party/WebKit/Source/JavaScriptCore/wtf/Vector.h:313
    #1 0x2e8df98 in WebCore::HTMLTextAreaElement::removeSpellcheckRange(WTF::RefPtr<WebCore::SpellcheckRange>) third_party/WebKit/Source/WebCore/html/HTMLTextAreaElement.cpp:465
    #2 0x3053680 in WebCore::HTMLTextAreaElementInternal::removeSpellcheckRangeCallback(v8::Arguments const&) out/Release/obj/gen/webcore/bindings/V8HTMLDivElement.cpp:92
    #3 0x223a5d8 in HandleApiCallHelper v8/src/builtins.cc:1105

cros_fuzz instructions: 
http://www.chromium.org/developers/testing/fuzzers

>From inferno: 
Please file a new bug and assign
it to hbono for high priority null ptr fix (was probably
introduced in http://trac.webkit.org/changeset/88332).

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.