Bug 17543 - FixedTableLayout::layout() corrupts the heap
Summary: FixedTableLayout::layout() corrupts the heap
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: 528+ (Nightly build)
Hardware: All OS X 10.5
: P1 Normal
Assignee: Nobody
URL: http://bt.ktxp.com/
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2008-02-25 17:21 PST by Ojan Vafai
Modified: 2008-03-03 11:55 PST (History)
2 users (show)

See Also:

Attachments
Corrupts heap. Hits assert in debug mode. (197 bytes, text/html)
2008-02-25 17:22 PST, Ojan Vafai 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ojan Vafai 2008-02-25 17:21:06 PST 
If a table is fixed layout and and it's children are set to display:none, corrupts the heap (FixedTableLayout.cpp:288).
Comment 1 Ojan Vafai 2008-02-25 17:22:06 PST 
Created attachment 19363 [details]
Corrupts heap. Hits assert in debug mode.
Comment 2 Maciej Stachowiak 2008-02-25 17:24:04 PST 
Heap corruption is a potential security issue but not flagging as such since we don't have an exploit.
Comment 3 Mark Rowe (bdash) 2008-02-25 18:12:51 PST 
<rdar://problem/5764927>
Comment 4 Dave Hyatt 2008-03-03 11:55:49 PST 
Fixed in r30716.