Bug 48389

Summary: REGRESSION(r67170): crash in removeImplicitlyStyledElement
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: HTML EditingAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: enrica, eric, ojan, tony
Priority: P1 Keywords: HasReduction
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
demo
none
fixes the crash tkent: review+

Ryosuke Niwa
Reported 2010-10-26 17:09:09 PDT
The crash occurs in the following lines of removeImplicitlyStyledElement when mapValue is null and extractedStyle is not null: if (extractedStyle) extractedStyle->setProperty(equivalent.propertyID, mapValue->cssText());
Attachments
demo (269 bytes, text/html)
2010-10-26 17:09 PDT, Ryosuke Niwa 		no flags
Details
fixes the crash (3.42 KB, patch)
2010-10-26 17:20 PDT, Ryosuke Niwa 		tkent: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2010-10-26 17:09:33 PDT
Created attachment 71967 [details] demo
Ryosuke Niwa
Comment 2 2010-10-26 17:19:07 PDT
http://crbug.com/59992
Ryosuke Niwa
Comment 3 2010-10-26 17:20:46 PDT
Created attachment 71969 [details] fixes the crash
Kent Tamura
Comment 4 2010-10-26 17:21:42 PDT
Comment on attachment 71969 [details] fixes the crash ok
Ryosuke Niwa
Comment 5 2010-10-26 17:23:26 PDT
(In reply to comment #4) > (From update of attachment 71969 [details]) > ok wow, that was really quick! I'll appreciate if you can take a look at https://bugs.webkit.org/show_bug.cgi?id=48349 since it's a security bug. I just cc-ed you on the bug.
Ryosuke Niwa
Comment 6 2010-10-26 17:44:07 PDT
Thanks for the review, Kent. Landed as http://trac.webkit.org/changeset/70593.
Note You need to log in before you can comment on or make changes to this bug.