[Webkit-unassigned] [Bug 77659] NULL ptr in WebCore::Range::insertNode

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Feb 2 11:56:58 PST 2012 

https://bugs.webkit.org/show_bug.cgi?id=77659





--- Comment #3 from Berend-Jan Wever <skylined at chromium.org>  2012-02-02 11:56:58 PST ---
Created an attachment (id=125158)
 --> (https://bugs.webkit.org/attachment.cgi?id=125158&action=review)
Repro

Sorry for the confusion; I assumed that that link would be publicly accessible. The repro is attached.

<svg xmlns="http://www.w3.org/2000/svg">
<script>
<![CDATA[
 af =[], i = 0;
 function main(){af[i++% af.length]()}
  window._Document_0=document;
  window._Window_0=window;
  _Selection_0=window._Window_0.getSelection();
  af.push(function (){
    try{window._ProcessingInstruction_1=window._Document_0.createProcessingInstruction("x","x")}catch(e){cole.log(e)};
    try{window._Range_0=window._Selection_0.getRangeAt(9223372036854775804)}catch(e){cons(e)};
  })
  af.push(function (){
    try{window._Range_0.surroundContents(window._ProcessingInstruction_1)}catch(e){conog(e)};
  })
  af.push(function (){
    try{window._Selection_0.setBaseAndExtent(window.ocessingInstr0,00032768,_Document_0,47412)}catch(e){cole.log(e)};
    try{window._Range_0.detach()}catch(e){cons(e)};
  })
  document.addEventListener("DOMSubtreeModified",main,false);
  setInterval(main, 100);
]]>
</script>

id:             chrome.dll!WebCore::Range::insertNode ReadAV at NULL (a774923561bd78822366477b21073c62)
description:    Attempt to read from unallocated NULL pointer+0x14 in chrome.dll!WebCore::Range::insertNode
application:    Chromium 18.0.1011.0
stack:          chrome.dll!WebCore::Range::insertNode
                chrome.dll!WebCore::Range::surroundContents
                chrome.dll!WebCore::RangeInternal::surroundContentsCallback
                chrome.dll!v8::internal::HandleApiCallHelper<...>
                chrome.dll!v8::internal::Builtin_HandleApiCall
                chrome.dll!v8::internal::Invoke
                chrome.dll!v8::internal::Execution::Call
                ...

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list