[Webkit-unassigned] [Bug 25567] Crash when writing into a detached TITLE element
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jun 1 20:28:19 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=25567
------- Comment #4 from vijay.manchana at gmail.com 2009-06-01 20:28 PDT -------
Hi,
I have been analysing the bug and here are some of my observations.
In HTMLTokenizer, while parsing the "Title" tag, if there is no end "Title"
tag, the state is reset to previous which it should not. This is causing the
problem. So, comment out the following line in "if" condition to make this
state regain its current value.
In HTMLTokenizer.cpp, line no.1532
if (state.inTitle() && src.isEmpty()) {
//comment the following line as this statement resets the state to previous
one.
//state = savedState;
src = savedSrc;
m_lineNumber = savedLineno;
m_scriptCodeSize = 0;
}
After commenting this statement, the safari browser is not crashing.
Let me know if this proposal can be used to fix this bug.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list