Bug 165964 - Possible nullptr dereference in FrameView::updateScrollCorner
Summary: Possible nullptr dereference in FrameView::updateScrollCorner
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-16 11:29 PST by Brent Fulgham
Modified: 2016-12-16 11:30 PST (History)
5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Brent Fulgham 2016-12-16 11:29:29 PST 
It is possible for 'renderer' to be null, but still have a valid cornerStyle:

1. If the document has no body, and the root element has no style, but we do have an owning iframe/frame element, we set a cornerStyle (but do not set the renderer).

2. Later, if no 'm_scrollCorner' member exists, we attempt to create one by accessing the renderer's document, generating a nullptr dereference.