[Webkit-unassigned] [Bug 45561] New: NULL deref when SVG elements have table styles
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Sep 10 13:19:50 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=45561
Summary: NULL deref when SVG elements have table styles
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Mac OS X 10.5
Status: NEW
Severity: Normal
Priority: P2
Component: SVG
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: jschuh at chromium.org
CC: zimmermann at kde.org, jschuh at chromium.org
Here's a simple repro URL:
data:text/html,<svg><text display="table-caption">
This issue applies to SVG elements that use the normal layout model (e.g. text and foreignObject). The problem is that RenderObject::addChild() sees the table attributes and creates an anonymous RenderTable parent for the child SVG object. So, when SVGRenderSupport::layoutChildren runs through its loop it hits a NULL deref returned from child->node() on the anonymous node here:
if (SVGElement* element = child->node()->isSVGElement() ? static_cast<SVGElement*>(child->node()) : 0) {
I don't understand the layout well enough to know what should be happening here, but we probably want to prevent the crash.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list