[Webkit-unassigned] [Bug 34641] WebCore::RenderButton::styleDidChange ReadAV at NULL (6739b7fe455ecb54a6812c0866c3b47c)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Mar 16 07:09:55 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=34641
Shinichiro Hamaji <hamaji at chromium.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |hamaji at chromium.org
--- Comment #2 from Shinichiro Hamaji <hamaji at chromium.org> 2010-03-16 07:09:55 PST ---
Let me explain this bug and my patch.
This happened because RenderBlock::updateFirstLetter destroys text children of
the <button> but it doesn't update RenderButton::m_buttonText. Then,
m_buttonText will be used after free (so this can be a security issue?).
This doesn't happen for usual buttons because they are replaced elements.
RenderBlock::updateFirstLetter stops digging when it finds replaced elements.
However, this issue happens when a button is not inline because
RenderButton::styleDidChange calls setReplaced(isInline()) (to be honest, I
don't understand form elements aren't replaced elements when they are not
inline).
With my patch, RenderBlock::updateFirstLetter stops digging whenever it finds
button elements so we won't crash anymore. I'm not 100% sure if this is the
best fix, but I'm guessing this fix is OK as this patch only changes the
behavior of combination of button, display:block, and :first-letter.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list