MantisBT - LibDOM
View Issue Details
0002789LibDOM[All Projects] Generalpublic2020-08-15 23:212020-10-02 15:20
Reportersha0sum 
Assigned ToDaniel Silverstone 
PrioritynormalSeveritycrashReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version
Fixed in CI build #
Reported in CI build #
Summary0002789: Crashes found from fuzzing
DescriptionFuzzing netsurf-gtk using Domato[1] found a few segfaults in LibDOM 0.4.1 (HEAD at 93b8a9bba18fc3166dd158484188b1730afdd382).

Minimized test cases, along with corresponding AddressSanitizer stack traces, are attached.

[1] https://github.com/googleprojectzero/domato
TagsNo tags attached.
Attached Fileszip crashes.zip (6,386) 2020-08-15 23:21
https://bugs.netsurf-browser.org/mantis/file_download.php?file_id=685&type=bug
txt 5.asan.txt (3,341) 2020-08-16 17:37
https://bugs.netsurf-browser.org/mantis/file_download.php?file_id=686&type=bug

Notes
(0002286)
sha0sum   
2020-08-16 17:37   
Here is another crash input, caused by referencing rowIndex of an HTMLTableRowElement when there is no <thead> in the table:

<script>
window.onload = function () {
    row = document.getElementById("htmlvar00004");
    row.rowIndex;
}
</script>

<table>
<!-- Crashes when no <thead> element -->
<tr id="htmlvar00004"></tr>
</table>
(0002295)
Daniel Silverstone   
2020-10-02 15:20   
Thanks for this, I've made appropriate fixes to our DOM bindings to deal with these. If you could let us know the best way to get domato and monkey working together we can add this to our CI.

Issue History
2020-08-15 23:21sha0sumNew Issue
2020-08-15 23:21sha0sumFile Added: crashes.zip
2020-08-16 17:37sha0sumFile Added: 5.asan.txt
2020-08-16 17:37sha0sumNote Added: 0002286
2020-10-02 11:16Daniel SilverstoneAssigned To => Daniel Silverstone
2020-10-02 11:16Daniel SilverstoneStatusnew => assigned
2020-10-02 15:20Daniel SilverstoneStatusassigned => resolved
2020-10-02 15:20Daniel SilverstoneResolutionopen => fixed
2020-10-02 15:20Daniel SilverstoneNote Added: 0002295