Bug 180619

Summary: iOS: Crash in Document::updateLayout() via Document::processViewport
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: Layout and RenderingAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, commit-queue, darin, dino, koivisto, simon.fraser, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Fixes the crash none

Ryosuke Niwa
Reported 2017-12-08 21:01:01 PST
When the viewport configuration is updated via meta element, the modern media controls can end up updating the layout and cause a crash. This is a real bug since updateLayout can execute arbitrary author scripts.
Attachments
Fixes the crash (4.82 KB, patch)
2017-12-08 21:47 PST, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2017-12-08 21:01:25 PST
<rdar://problem/35717575>
Ryosuke Niwa
Comment 2 2017-12-08 21:47:38 PST
Created attachment 328904 [details] Fixes the crash
WebKit Commit Bot
Comment 3 2017-12-09 02:41:35 PST
Comment on attachment 328904 [details] Fixes the crash Clearing flags on attachment: 328904 Committed r225723: <https://trac.webkit.org/changeset/225723>
WebKit Commit Bot
Comment 4 2017-12-09 02:41:37 PST
All reviewed patches have been landed. Closing bug.
Simon Fraser (smfr)
Comment 5 2017-12-09 10:08:05 PST
Can we stop calling these crashes please.
Ryosuke Niwa
Comment 6 2017-12-09 15:13:24 PST
(In reply to Simon Fraser (smfr) from comment #5) > Can we stop calling these crashes please. These are crashes. If we don't crash it here, it would later down the line as a security bug.
Darin Adler
Comment 7 2017-12-09 16:28:22 PST
Comment on attachment 328904 [details] Fixes the crash View in context: https://bugs.webkit.org/attachment.cgi?id=328904&action=review > Source/WebCore/html/HTMLMetaElement.h:43 > + void didFinishInsertingNode(); This is missing the "final" keyword. I guess this is a downside of us using "final" instead of "override", because I think we would have gotten a warning about this if we were using "override" on any other function in this class.
Note You need to log in before you can comment on or make changes to this bug.