diff options
author | John Mark Bell <jmb@netsurf-browser.org> | 2007-04-06 12:05:25 +0000 |
---|---|---|
committer | John Mark Bell <jmb@netsurf-browser.org> | 2007-04-06 12:05:25 +0000 |
commit | 94d12a96e7c7ec96539f19494042f969b25391a8 (patch) | |
tree | 5f90a3ea6f53102902a16199708ef5c79db47867 | |
parent | f059818d74bbf856ccb0674555c9c73f0c6e93e5 (diff) | |
download | netsurf-94d12a96e7c7ec96539f19494042f969b25391a8.tar.gz netsurf-94d12a96e7c7ec96539f19494042f969b25391a8.tar.bz2 |
Squash access to freed memory.
Actually process form inputs which have been styled display:none;
This needs revisiting after 1.0 as the following will still break:
<form ..>
<div style="display:none;">
<input type="hidden" name="foo" value="bar"/>
</div>
<input type="submit" name="submit" value="submit"/>
</form>
The children of the div are not processed (which is correct for display
purposes, but results in the hidden input being ignored entirely). A
more correct fix would be to perform form input -> gadget creation
orthogonally from box tree generation; then styling will have no effect.
svn path=/trunk/netsurf/; revision=3236
-rw-r--r-- | render/box_construct.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/render/box_construct.c b/render/box_construct.c index cf39901df..7bc8b2152 100644 --- a/render/box_construct.c +++ b/render/box_construct.c @@ -307,10 +307,6 @@ bool box_construct_element(xmlNode *n, struct content *content, style = box_get_style(content, parent_style, n); if (!style) return false; - if (style->display == CSS_DISPLAY_NONE) { - talloc_free(style); - return true; - } /* extract title attribute, if present */ if ((title0 = xmlGetProp(n, (const xmlChar *) "title"))) { @@ -348,7 +344,11 @@ bool box_construct_element(xmlNode *n, struct content *content, } if (style->display == CSS_DISPLAY_NONE) { talloc_free(style); - box_free_box(box); + /* We can't do this, as it will destroy any gadget + * associated with the box, thus making any form usage + * access freed memory. The box is in the talloc context, + * anyway, so will get cleaned up with the content. */ + /* box_free_box(box); */ return true; } |