Variation: <BODY onload=" document.designMode='on';//string document.removeChild(document.firstChild);//object document.queryCommandState('BackColor'); "> Also NULL pointer, but in different part of the code. Likely both 'queryCommandState' and 'queryCommandValue' use the same object which can be set to null by deleting or replacing the HTML element.
Another variation: using 'queryCommandIndeterm' gives same result as 'queryCommandValue'.
This is http://milw0rm.com/exploits/8091.
wanted1.9.0.x is good since this bug was filed into the milw0rm database today.
Hmm, this doesn't seem to crash in current trunk build. Is this a duplicate of bug 448329?
Mats: Can you confirm that the patch in bug 448329 fixes this?
qawanted: Please determine if the patch in bug 448329 fixes this bug.
I backed out bug 448329 locally and debugged this bug, both testcases in comment 0 and 1 crashed with a null-pointer access at nsHTMLEditor.cpp:2412 which is now fixed by bug 448329. I pushed the tests: http://hg.mozilla.org/mozilla-central/rev/d3ce1f2c44bb http://hg.mozilla.org/releases/mozilla-1.9.1/rev/4ad867d7a548
Before checkin of bug 448329 on 1.9.1, the testcase clearly crashes immediately. It does not crash after the checkin, confirming what Mats says.
Adding fixed188.8.131.52, fixed1.9.1 since bug 448329 is, to avoid this bug showing up in queries.
The variation from comment 1 was uploaded to milw0rm by Aditya K Sood (secniche.org) with no credit to SkyLined or mention of this bug: http://www.milw0rm.com/exploits/8219
Verified for 184.108.40.206 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:220.127.116.11pre) Gecko/2009031604 GranParadiso/3.0.8pre. Definitely crashes earlier 1.9.0 versions. Verified for 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4pre) Gecko/20090316 Shiretoko/3.1b4pre
Hm, this was already on milw0rm as http://www.milw0rm.com/exploits/8091 The title for 8219 says "onbeforeunload" but the testcase itself uses onload like 8091 (and is otherwise identical except for two added alerts).
Showed up in milw0rm too.
This doesn't crash using Firefox 18.104.22.168.