Bug 55597

Summary: Arbitrary script execution during style recalc due to SVG font instantiation firing pending image load events
Product: WebKit Reporter: mitz
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: ap, rniwa, simon.fraser, zalan
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
See Also: https://bugs.webkit.org/show_bug.cgi?id=136269

mitz
Reported 2011-03-02 11:43:49 PST
During style recalc (or attach()), CachedFont::ensureSVGFontData() can be called, and in turn call into Document::setContent(). That does an implicitClose() which calls ImageLoader::dispatchPendingLoadEvents(), which dispatches an arbitrary set of event and can cause arbitrary script execution and re-entry into style and layout code.
Attachments
Add attachment proposed patch, testcase, etc.
mitz
Comment 1 2011-03-02 11:45:09 PST
<rdar://problem/9076006>
Ryosuke Niwa
Comment 2 2018-11-19 21:45:47 PST
Some aspect of this bug has been mitigated by https://trac.webkit.org/changeset/173028.
Note You need to log in before you can comment on or make changes to this bug.