[Webkit-unassigned] [Bug 99243] FEImage::m_document is never cleared. Why not?
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Oct 30 10:13:47 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=99243
Stephen Chenney <schenney at chromium.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|FEImage::m_document appears |FEImage::m_document is
|to be useable after free |never cleared. Why not?
Product|Security |WebKit
Version|Other |528+ (Nightly build)
Component|Security |SVG
AssignedTo|schenney at chromium.org |webkit-unassigned at lists.web
| |kit.org
Group|Security-Sensitive |
--- Comment #11 from Stephen Chenney <schenney at chromium.org> 2012-10-30 10:15:03 PST ---
Maciej is right that this is never dangling and there's no point in fixing it. The only possible code change would be to explicitly set m_document to null before destroying the object, but there's no point at all in that.
I've come up with a one line comment (a bit longer). Actually, it just occurred to me that I should reference this bug, so I'll give it another pass.
Also, there is no need for this to be a security issue.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list