MantisBT - LibDOM
View Issue Details
0002789LibDOM[All Projects] Generalpublic2020-08-16 00:212020-08-16 18:37
Reportersha0sum 
Assigned To 
PrioritynormalSeveritycrashReproducibilityalways
StatusnewResolutionopen 
PlatformOSOS Version
Fixed in CI build #
Reported in CI build #
Summary0002789: Crashes found from fuzzing
DescriptionFuzzing netsurf-gtk using Domato[1] found a few segfaults in LibDOM 0.4.1 (HEAD at 93b8a9bba18fc3166dd158484188b1730afdd382).

Minimized test cases, along with corresponding AddressSanitizer stack traces, are attached.

[1] https://github.com/googleprojectzero/domato
TagsNo tags attached.
Attached Fileszip crashes.zip (6,386) 2020-08-16 00:21
https://bugs.netsurf-browser.org/mantis/file_download.php?file_id=685&type=bug
txt 5.asan.txt (3,341) 2020-08-16 18:37
https://bugs.netsurf-browser.org/mantis/file_download.php?file_id=686&type=bug

Notes
(0002286)
sha0sum   
2020-08-16 18:37   
Here is another crash input, caused by referencing rowIndex of an HTMLTableRowElement when there is no <thead> in the table:

<script>
window.onload = function () {
    row = document.getElementById("htmlvar00004");
    row.rowIndex;
}
</script>

<table>
<!-- Crashes when no <thead> element -->
<tr id="htmlvar00004"></tr>
</table>

Issue History
2020-08-16 00:21sha0sumNew Issue
2020-08-16 00:21sha0sumFile Added: crashes.zip
2020-08-16 18:37sha0sumFile Added: 5.asan.txt
2020-08-16 18:37sha0sumNote Added: 0002286