[Webkit-unassigned] [Bug 25567] Crash when writing into a detached TITLE element

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jun 1 20:28:19 PDT 2009


https://bugs.webkit.org/show_bug.cgi?id=25567





------- Comment #4 from vijay.manchana at gmail.com  2009-06-01 20:28 PDT -------
Hi,

I have been analysing the bug and here are some of my observations.

In HTMLTokenizer, while parsing the "Title" tag, if there is no end "Title"
tag, the state is reset to previous which it should not. This is causing the
problem. So, comment out the following line in "if" condition to make this
state regain its current value.

In HTMLTokenizer.cpp, line no.1532

if (state.inTitle() && src.isEmpty()) {
//comment the following line as this statement resets the state to previous
one.
//state = savedState;
src = savedSrc;
m_lineNumber = savedLineno;
m_scriptCodeSize = 0;
}

After commenting this statement, the safari browser is not crashing.
Let me know if this proposal can be used to fix this bug.


-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the webkit-unassigned mailing list