Summary: | Crash in RenderBox::overrideContainingBlockContentHeight() | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Ian Gilbert <iang> | ||||||||
Component: | Layout and Rendering | Assignee: | Sergio Villar Senin <svillar> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | Normal | CC: | bfulgham, cgarcia, ews-feeder, koivisto, product-security, rniwa, rwlbuis, simon.fraser, svillar, webkit-bug-importer, zalan | ||||||||
Priority: | P2 | Keywords: | InRadar | ||||||||
Version: | WebKit Local Build | ||||||||||
Hardware: | Unspecified | ||||||||||
OS: | Unspecified | ||||||||||
Attachments: |
|
Description
Ian Gilbert
2020-11-03 04:05:50 PST
Created attachment 413041 [details]
Crashing input
Created attachment 413570 [details]
Patch
Created attachment 413572 [details]
Test case
This is the test case I came up with in case we want to land it together.
Is there any security implication here? Or is it just a nullptr crash? If there is no security implication, we should land the test as a part of the patch. (In reply to Ryosuke Niwa from comment #6) > Is there any security implication here? Or is it just a nullptr crash? It's a nullptr dereference. (In reply to Sergio Villar Senin from comment #8) > (In reply to Ryosuke Niwa from comment #6) > > Is there any security implication here? Or is it just a nullptr crash? > > It's a nullptr dereference. In that case, can we include the test in the patch? Committed r269728: <https://trac.webkit.org/changeset/269728> |