[Webkit-unassigned] [Bug 100466] MathML fuzzing bugs - 4
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Oct 25 23:01:16 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=100466
Eric Seidel <eric at webkit.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ojan at chromium.org,
| |simon.fraser at apple.com,
| |tony at chromium.org
--- Comment #1 from Eric Seidel <eric at webkit.org> 2012-10-25 23:02:24 PST ---
Trying to access a null layer?
I assume that m_staticInlinePosition is at offet 0xd8 from the start of the RenderLayer object:
http://trac.webkit.org/browser/trunk/Source/WebCore/rendering/RenderLayer.h#L586
This code clearly assumes that child has a layer. :)
http://trac.webkit.org/browser/trunk/Source/WebCore/rendering/RenderBox.cpp#L2526
Maybe the RenderMathMLRoot doesn't have a layer even though it's positioned?
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list