[Webkit-unassigned] [Bug 50126] Fallback content in canvas element not focusable

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Feb 28 13:22:48 PST 2011


https://bugs.webkit.org/show_bug.cgi?id=50126





--- Comment #27 from Abhishek Arya <inferno at chromium.org>  2011-02-28 13:22:48 PST ---
This introduced security bug - https://bugs.webkit.org/show_bug.cgi?id=55393

Reduced testcase::
    <feOffset>
        <canvas>
            <legend id="test">
                <input/>
            </legend>
        </canvas>
    </feOffset>
    <script>
        window.setTimeout(function() {
            document.getElementById('test').innerHTML = 1;
        }, 0);
    </script>

Stack:
 WebCore::RenderObject::localToAbsolute(WebCore::FloatPoint localPoint=(0,0), bool fixed=false, bool useTransforms=true)  Line 1945 + 0x15 bytes    C++
>WebCore::LayoutState::LayoutState(WebCore::RenderObject * root=0x06e7600c)  Line 121	C++
 WebCore::RenderView::pushLayoutState(WebCore::RenderObject * root=0x06e7600c)  Line 719 + 0x28 bytes    C++
 WebCore::FrameView::layout(bool allowSubtree=true)  Line 900    C++
 WebCore::FrameView::layoutTimerFired(WebCore::Timer<WebCore::FrameView> * __formal=0x0a094608)  Line 1604    C++
 WebCore::Timer<WebCore::FrameView>::fired()  Line 100 + 0x29 bytes    C++
 WebCore::ThreadTimers::sharedTimerFiredInternal()  Line 112 + 0xf bytes    C++
 WebCore::ThreadTimers::sharedTimerFired()  Line 91    C++
 webkit_glue::WebKitClientImpl::DoTimeout()  Line 86 + 0xa bytes    C++

LayoutState::LayoutState(RenderObject* root)
    : m_clipped(false)
    , m_pageLogicalHeight(0)
    , m_pageLogicalHeightChanged(false)
    , m_columnInfo(0)
    , m_next(0)
#ifndef NDEBUG
    , m_renderer(root)
#endif
{
    RenderObject* container = root->container();

root is freed.

Comment #5 From Dave Hyatt 2011-02-28 13:13:59 PST (-) [reply] 
(From update of attachment 84094 [details])
I think we should consider reverting the original patch.  I don't think it really should have received r+.  The original changes were bizarre and not reviewed by a layout expert.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.


More information about the webkit-unassigned mailing list