Bug 165964
| Summary: | Possible nullptr dereference in FrameView::updateScrollCorner | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Brent Fulgham <bfulgham> |
| Component: | Layout and Rendering | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | andersca, bfulgham, koivisto, simon.fraser, zalan |
| Priority: | P2 | ||
| Version: | WebKit Nightly Build | ||
| Hardware: | All | ||
| OS: | All | ||
Brent Fulgham
It is possible for 'renderer' to be null, but still have a valid cornerStyle:
1. If the document has no body, and the root element has no style, but we do have an owning iframe/frame element, we set a cornerStyle (but do not set the renderer).
2. Later, if no 'm_scrollCorner' member exists, we attempt to create one by accessing the renderer's document, generating a nullptr dereference.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |