MantisBT - LibDOM
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0002789LibDOM[All Projects] Generalpublic2020-08-16 00:212024-05-27 13:47
Reportersha0sum 
Assigned Tokinnison 
PrioritynormalSeveritycrashReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version
Fixed in CI build #6738
Reported in CI build #
Summary0002789: Crashes found from fuzzing
DescriptionFuzzing netsurf-gtk using Domato[1] found a few segfaults in LibDOM 0.4.1 (HEAD at 93b8a9bba18fc3166dd158484188b1730afdd382).

Minimized test cases, along with corresponding AddressSanitizer stack traces, are attached.

[1] https://github.com/googleprojectzero/domato
TagsNo tags attached.
Relationships
Attached Fileszip crashes.zip (6,386) 2020-08-16 00:21
https://bugs.netsurf-browser.org/mantis/file_download.php?file_id=685&type=bug
txt 5.asan.txt (3,341) 2020-08-16 18:37
https://bugs.netsurf-browser.org/mantis/file_download.php?file_id=686&type=bug

Notes
(0002286)
sha0sum   
2020-08-16 18:37   
Here is another crash input, caused by referencing rowIndex of an HTMLTableRowElement when there is no <thead> in the table:

<script>
window.onload = function () {
    row = document.getElementById("htmlvar00004");
    row.rowIndex;
}
</script>

<table>
<!-- Crashes when no <thead> element -->
<tr id="htmlvar00004"></tr>
</table>
(0002295)
kinnison   
2020-10-02 16:20   
Thanks for this, I've made appropriate fixes to our DOM bindings to deal with these. If you could let us know the best way to get domato and monkey working together we can add this to our CI.
(0002454)
kinnison   
2024-05-27 13:45   
Turns out I hadn't fixed it
(0002455)
kinnison   
2024-05-27 13:47   
There were a couple of spots where table rows didn't check they had parents. Fixed.

Issue History
Date ModifiedUsernameFieldChange
2020-08-16 00:21sha0sumNew Issue
2020-08-16 00:21sha0sumFile Added: crashes.zip
2020-08-16 18:37sha0sumFile Added: 5.asan.txt
2020-08-16 18:37sha0sumNote Added: 0002286
2020-10-02 12:16kinnisonAssigned To => kinnison
2020-10-02 12:16kinnisonStatusnew => assigned
2020-10-02 16:20kinnisonStatusassigned => resolved
2020-10-02 16:20kinnisonResolutionopen => fixed
2020-10-02 16:20kinnisonNote Added: 0002295
2024-05-27 13:45kinnisonStatusresolved => assigned
2024-05-27 13:45kinnisonNote Added: 0002454
2024-05-27 13:47kinnisonStatusassigned => resolved
2024-05-27 13:47kinnisonFixed in CI build # => 6738
2024-05-27 13:47kinnisonNote Added: 0002455