[Webkit-unassigned] [Bug 105642] New: Dubious cast from TextTrackCueBox to HTMLDivElement.

Fri Dec 21 10:42:36 PST 2012

https://bugs.webkit.org/show_bug.cgi?id=105642

           Summary: Dubious cast from TextTrackCueBox to HTMLDivElement.
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: Unspecified
            Status: NEW
          Severity: Trivial
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: tsepez at chromium.org
                CC: tony at chromium.org, japhet at chromium.org,
                    victor at rosedu.org

In TextTrackCueBox::TextTrackCueBox(), there is an initialization of the form : HTMLElement(divTag, document).
Under V8, Initializing an element using divTag gives V8HTMLElementWrapperFactory the right to invoke createHTMLDivElementWrapper() upon the element.
createHTMLDivElementWrapper() invokes static_cast<HTMLDivElement*>(element).

Note however, the TextTrackCueBox inherits from HTMLElement, not HTMLDivElement, so the cast is wrong.  Presently, this does no harm at the machine code level, since HTMLDivElement doesn't modify the layout of the underlying memory.  But something could change, and then you won't be ok.

The fix would be to change to the proper base class in TextTrackCueBox.cpp.   Looking at https://bugs.webkit.org/show_bug.cgi?id=79751, this was initially the design but went off the rails at comment 34,
when rather than resolving the underlying issue, this bug was introduced as part of a workaround.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.