165964 – Possible nullptr dereference in FrameView::updateScrollCorner

NEW 165964

Possible nullptr dereference in FrameView::updateScrollCorner

https://bugs.webkit.org/show_bug.cgi?id=165964

Summary Possible nullptr dereference in FrameView::updateScrollCorner

Brent Fulgham

Reported 2016-12-16 11:29:29 PST

It is possible for 'renderer' to be null, but still have a valid cornerStyle: 1. If the document has no body, and the root element has no style, but we do have an owning iframe/frame element, we set a cornerStyle (but do not set the renderer). 2. Later, if no 'm_scrollCorner' member exists, we attempt to create one by accessing the renderer's document, generating a nullptr dereference.

Attachments
Add attachment proposed patch, testcase, etc.

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware All

OS All

Product WebKit

Component Layout and Rendering

Assignee

Nobody

Reported

2016-12-16 11:29 PST

Modified

2016-12-16 11:30 PST History

CC List

5 users Show

URL

Keywords

Depends on

Blocks