[Webkit-unassigned] [Bug 17956] New: possible write to freed memory in EventTargetNode::dispatchSimulatedMouseEvent()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Mar 19 14:14:27 PDT 2008
http://bugs.webkit.org/show_bug.cgi?id=17956
Summary: possible write to freed memory in
EventTargetNode::dispatchSimulatedMouseEvent()
Product: WebKit
Version: 526+ (Nightly build)
Platform: PC
OS/Version: Windows XP
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: HTML DOM
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: minatoar at gmail.com
Not certain about this, but it looks like if the event handler deletes the node
within dispatchSimulatedMouseEvent(), there can be a subsequent assignment to
freed memory:
EventTargetNode::dispatchSimulatedMouseEvent(...) {
...
m_dispatchingSimulatedEvent = true;
// <--- The event handler may end up deleting "this" --->
dispatchMouseEvent(...);
// <--- Could this assignment happen to freed memory? --->
m_dispatchingSimulatedEvent = false;
}
I ran into a problem when using an access key that deleted the anchor
(LayoutTests/fast/events/access-key-self-destruct.html) -- however I am not
certain if there were other modifications in my code that could have caused
this problem.
Can someone familiar with the method comment if this is a problem?
(I see that EventTargetNode::dispatchMouseEvent() protects "this" from
deletion, why does this block not require it too?)
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list