55597 – Arbitrary script execution during style recalc due to SVG font instantiation firing pending image load events

NEW 55597

Arbitrary script execution during style recalc due to SVG font instantiation firing pending image load events

https://bugs.webkit.org/show_bug.cgi?id=55597

Summary Arbitrary script execution during style recalc due to SVG font instantiation ...

mitz

Reported 2011-03-02 11:43:49 PST

During style recalc (or attach()), CachedFont::ensureSVGFontData() can be called, and in turn call into Document::setContent(). That does an implicitClose() which calls ImageLoader::dispatchPendingLoadEvents(), which dispatches an arbitrary set of event and can cause arbitrary script execution and re-entry into style and layout code.

Attachments
Add attachment proposed patch, testcase, etc.

mitz

Comment 1 2011-03-02 11:45:09 PST

<rdar://problem/9076006>

Ryosuke Niwa

Comment 2 2018-11-19 21:45:47 PST

Some aspect of this bug has been mitigated by https://trac.webkit.org/changeset/173028.

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware All

OS All

Product WebKit

Component New Bugs

Assignee

Nobody

Reported

2011-03-02 11:43 PST

Modified

2018-11-19 21:45 PST History

CC List

4 users Show

URL

Keywords InRadar

Depends on

Blocks