Bug 17543

Summary: FixedTableLayout::layout() corrupts the heap
Product: WebKit Reporter: Ojan Vafai <ovafai>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bdakin, koivisto
Priority: P1 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: OS X 10.5   
URL: http://bt.ktxp.com/
Attachments:
Description Flags
Corrupts heap. Hits assert in debug mode. none

Ojan Vafai
Reported 2008-02-25 17:21:06 PST
If a table is fixed layout and and it's children are set to display:none, corrupts the heap (FixedTableLayout.cpp:288).
Attachments
Corrupts heap. Hits assert in debug mode. (197 bytes, text/html)
2008-02-25 17:22 PST, Ojan Vafai 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Ojan Vafai
Comment 1 2008-02-25 17:22:06 PST
Created attachment 19363 [details] Corrupts heap. Hits assert in debug mode.
Maciej Stachowiak
Comment 2 2008-02-25 17:24:04 PST
Heap corruption is a potential security issue but not flagging as such since we don't have an exploit.
Mark Rowe (bdash)
Comment 3 2008-02-25 18:12:51 PST
<rdar://problem/5764927>
Dave Hyatt
Comment 4 2008-03-03 11:55:49 PST
Fixed in r30716.
Note You need to log in before you can comment on or make changes to this bug.