New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Closed: Mar 2011
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security

  • Only users with EditIssue permission may comment.

Sign in to add a comment
Bad cast to RenderBlock with floating select element with required attribute
Reported by, Mar 8 2011 Back to list
Chrome Version       : <Copy from: 'about:version'>
URLs (if applicable) :
Other browsers tested: Also tested Chrome 10.x on Mac and it FAILED
What steps will reproduce the problem?
1. Go here
2. Submit the form without first picking an option
3. Submit again or pick an option

What is the expected result?

I expect that the form will let me select an option and then validate correctly.

What happens instead?

Chrome Crashes

Please provide any additional information below.

Another issue also exists with the validation not updating when using keyword to navigation. You can repeat this by going here,, click submit, then (after chrome focues on the select) use your arrow keys to select an option. 

Comment 1 by, Mar 9 2011
Labels: -Area-Undefined Area-WebKit WebKit-Core Feature-Forms
Status: Available
This looks a bug of validation message bubble.

Comment 2 by, Mar 9 2011
Status: Started
Summary: Chrome crashes on floating select element with required attribute (was: NULL)
Comment 3 by, Mar 9 2011
Posted a patch to WebKit:

Labels: SecSeverity-High OS-All Mstone-10
Summary: Bad cast to RenderBlock with floating select element with required attribute (was: NULL)
Labels: Restrict-View-SecurityTeam Security
Comment 6 by, Mar 15 2011
Status: Fixed
Fixed in WebKit.

We need to merge the following two changes to M10 and M11 branches:

M9 or prior don't have this issue.

Labels: reward-topanel
Status: WillMerge
Status -> WillMerge to make sure we do the merges.
Labels: -Mstone-10 -Restrict-View-SecurityTeam Mstone-11 Restrict-View-SecurityNotify
Status: FixUnreleased
Merged to M11:

@mdhgriffiths: this turned out to be a security bug. It there some more descriptive name you'd like us to credit you with in our release notes?
Comment 9 Deleted
Labels: Type-Security
@scarybeasts, You can give credit to me, Michael Griffiths.

Also, is this a security bug that qualifies for a bounty reward?

Labels: -reward-topanel reward-500 reward-unpaid
@mdhgriffiths: as it happens... this DOES qualify for a provisional $500 Chromium Security Reward :D We normally don't reward things not reported as Security issues, but see below for rules etc.

NOTE: normally we do not reward security bugs unless initially filed with the
security template. Sometimes we make an exception for the first time an individual
files a security bug as a non-security issue.
For full guidelines on filing security bugs, see:

Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
@scarybeasts: Thank you! I can't wait to brag to my co-workers lol :P

I'll be sure to test more next time and to properly label the issue. How do I go about getting this bounty?

Thanks again! You, and Google have just made my day! 
@mdhgriffiths: first we get the fix out to the stable channel (should be within a couple of weeks thanks to our 6-week release cycle). Then, ping to start the payment process. Thanks :)
Thanks, Sounds good! Let me know when it's good :)
Labels: CVE-2011-1441
Ok, ping to set up payment :)
Comment 18 Deleted
Sweet! Thanks again! :) I've sent cevans an email. (Thats what you meant by ping, right? :P)
Labels: -reward-unpaid
Labels: SecImpacts-Stable
Batch update.
Labels: -Restrict-View-SecurityNotify
Lifting view restrictions.
Status: Fixed
Project Member Comment 24 by, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 25 by, Mar 10 2013
Labels: -Area-WebKit -WebKit-Core -SecSeverity-High -Mstone-11 -Type-Security -SecImpacts-Stable Cr-Content Security-Impact-Stable Type-Bug-Security Security-Severity-High M-11 Cr-Content-Core
Project Member Comment 26 by, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member Comment 27 by, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 28 by, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 29 by, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 30 by, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member Comment 31 by, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment