Sunday, September 2, 2012

WebKit cssText NULL Ptr Deref

Just tested with Chrome 21.0.1180.89 m (latest version)

Crash moment:
0:000> r
eax=00000000 ebx=015ccfb0 ecx=00000000 edx=0014ea24 esi=01e00440 edi=01e44630
eip=58fcd2a8 esp=0014e8b0 ebp=0014e8b4 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
chrome_58bf0000!WebCore::CSSValue::cssText+0x8:
58fcd2a8 8b4804          mov     ecx,dword ptr [eax+4] ds:002b:00000004=????????


PoC:


Same bug in old release (19.0.1084.52) http://pastebin.com/Z0pu9jbE