Bug 17543

Summary:

FixedTableLayout::layout() corrupts the heap

Product:

WebKit

Reporter:

Ojan Vafai <ovafai>

Component:

Layout and Rendering

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bdakin, koivisto

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

All

OS:

OS X 10.5

URL:

http://bt.ktxp.com/

Attachments:

Description	Flags
Corrupts heap. Hits assert in debug mode.	none

Description Ojan Vafai 2008-02-25 17:21:06 PST

If a table is fixed layout and and it's children are set to display:none, corrupts the heap (FixedTableLayout.cpp:288).

Comment 1 Ojan Vafai 2008-02-25 17:22:06 PST

Created attachment 19363 [details]
Corrupts heap. Hits assert in debug mode.

Comment 2 Maciej Stachowiak 2008-02-25 17:24:04 PST

Heap corruption is a potential security issue but not flagging as such since we don't have an exploit.

Comment 3 Mark Rowe (bdash) 2008-02-25 18:12:51 PST

<rdar://problem/5764927>

Comment 4 Dave Hyatt 2008-03-03 11:55:49 PST

Fixed in r30716.