[Webkit-unassigned] [Bug 19891] Broken HTML object elements cause de-reference of pointer to freed memory

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jul 3 15:50:21 PDT 2008


------- Comment #7 from chrisb at adobe.com  2008-07-03 15:50 PDT -------
Interesting details about the test html file:
The object tag references a non-existent GIF.
There is a call to window.document.open in the onload handler.
The codetype on the object element is set to an image mime type.

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list