[Webkit-unassigned] [Bug 125449] New: Harden column splitting code against bad casts.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Dec 9 06:57:16 PST 2013
https://bugs.webkit.org/show_bug.cgi?id=125449
Summary: Harden column splitting code against bad casts.
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore Misc.
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: lango at inf.u-szeged.hu
Consider merging http://src.chromium.org/viewvc/blink?view=revision&revision=148760
Make sure that |curr| is a descendant of |fromBlock|. We need to check in every iteration of the loop because moveChildrenTo could have moved |curr|. This is a mitigation and not really a fix against a class of tree craziness.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list