Bug 48389 - REGRESSION(r67170): crash in removeImplicitlyStyledElement
Summary: REGRESSION(r67170): crash in removeImplicitlyStyledElement
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML Editing (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P1 Normal
Assignee: Ryosuke Niwa
URL:
Keywords: HasReduction
Depends on:
Blocks:
 
Reported: 2010-10-26 17:09 PDT by Ryosuke Niwa
Modified: 2010-10-27 17:31 PDT (History)
4 users (show)

See Also:

Attachments
demo (269 bytes, text/html)
2010-10-26 17:09 PDT, Ryosuke Niwa 		no flags Details
fixes the crash (3.42 KB, patch)
2010-10-26 17:20 PDT, Ryosuke Niwa 		tkent: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2010-10-26 17:09:09 PDT 
The crash occurs in the following lines of removeImplicitlyStyledElement when mapValue is null and extractedStyle is not null:
        if (extractedStyle)
            extractedStyle->setProperty(equivalent.propertyID, mapValue->cssText());
Comment 1 Ryosuke Niwa 2010-10-26 17:09:33 PDT 
Created attachment 71967 [details]
demo
Comment 2 Ryosuke Niwa 2010-10-26 17:19:07 PDT 
http://crbug.com/59992
Comment 3 Ryosuke Niwa 2010-10-26 17:20:46 PDT 
Created attachment 71969 [details]
fixes the crash
Comment 4 Kent Tamura 2010-10-26 17:21:42 PDT 
Comment on attachment 71969 [details]
fixes the crash

ok
Comment 5 Ryosuke Niwa 2010-10-26 17:23:26 PDT 
(In reply to comment #4)
> (From update of attachment 71969 [details])
> ok

wow, that was really quick!  I'll appreciate if you can take a look at https://bugs.webkit.org/show_bug.cgi?id=48349 since it's a security bug.  I just cc-ed you on the bug.
Comment 6 Ryosuke Niwa 2010-10-26 17:44:07 PDT 
Thanks for the review, Kent.

Landed as http://trac.webkit.org/changeset/70593.