[Webkit-unassigned] [Bug 65316] New: Potential NULL-pointer vulnerability in [RenderLayer::updateLayerPosition]
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jul 28 07:28:46 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=65316
Summary: Potential NULL-pointer vulnerability in
[RenderLayer::updateLayerPosition]
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
URL: http://www.gismeteo.ru/city/daily/4079/
OS/Version: All
Status: UNCONFIRMED
Severity: Normal
Priority: P3
Component: Layout and Rendering
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: alexey.utkin at oracle.com
Potential vulnerability in the method
void RenderLayer::updateLayerPosition()
(file http://trac.webkit.org/browser/trunk/Source/WebCore/rendering/RenderLayer.cpp)
Code fragment (lines 660-676)
if (!renderer()->isPositioned() && renderer()->parent()) {
// We must adjust our position by walking up the render tree looking for the
// nearest enclosing object with a layer.
RenderObject* curr = renderer()->parent();
while (curr && !curr->hasLayer()) {
if (curr->isBox() && !curr->isTableRow()) {
// Rows and cells share the same coordinate space (that of the section).
// Omit them when computing our xpos/ypos.
localPoint += toRenderBox(curr)->locationOffsetIncludingFlipping();
}
curr = curr->parent();
}
if (curr->isBox() && curr->isTableRow()) { // <--- here the [curr] var can has a NULL value: check the [while] condition.
// Put ourselves into the row coordinate space.
localPoint -= toRenderBox(curr)->locationOffsetIncludingFlipping();
}
}
has NULL-pointer vulnerability.
In our port we have a GPF on transfer from
http://www.gismeteo.ru
to (click on St.Petersburg city)
http://www.gismeteo.ru/city/daily/4079/
Seems the problem has a relation with
https://bugs.webkit.org/show_bug.cgi?id=62120
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list