New issue
Advanced search Search tips

Issue 75347 link

Starred by 1 user

Issue metadata

Status: Fixed
Closed: Mar 2011
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

  • Only users with EditIssue permission may comment.

Sign in to add a comment

Bad cast to RenderBlock with floating select element with required attribute

Reported by, Mar 8 2011

Issue description

Chrome Version       : <Copy from: 'about:version'>
URLs (if applicable) :
Other browsers tested: Also tested Chrome 10.x on Mac and it FAILED
What steps will reproduce the problem?
1. Go here
2. Submit the form without first picking an option
3. Submit again or pick an option

What is the expected result?

I expect that the form will let me select an option and then validate correctly.

What happens instead?

Chrome Crashes

Please provide any additional information below.

Another issue also exists with the validation not updating when using keyword to navigation. You can repeat this by going here,, click submit, then (after chrome focues on the select) use your arrow keys to select an option. 


Comment 1 by, Mar 9 2011

Labels: -Area-Undefined Area-WebKit WebKit-Core Feature-Forms
Status: Available
This looks a bug of validation message bubble.

Comment 2 by, Mar 9 2011

Status: Started
Summary: Chrome crashes on floating select element with required attribute

Comment 3 by, Mar 9 2011

Posted a patch to WebKit:

Labels: SecSeverity-High OS-All Mstone-10
Summary: Bad cast to RenderBlock with floating select element with required attribute
Labels: Restrict-View-SecurityTeam Security

Comment 6 by, Mar 15 2011

Status: Fixed
Fixed in WebKit.

We need to merge the following two changes to M10 and M11 branches:

M9 or prior don't have this issue.

Labels: reward-topanel
Status: WillMerge
Status -> WillMerge to make sure we do the merges.
Labels: -Mstone-10 -Restrict-View-SecurityTeam Mstone-11 Restrict-View-SecurityNotify
Status: FixUnreleased
Merged to M11:

@mdhgriffiths: this turned out to be a security bug. It there some more descriptive name you'd like us to credit you with in our release notes?

Comment 9 Deleted

Labels: Type-Security
@scarybeasts, You can give credit to me, Michael Griffiths.

Also, is this a security bug that qualifies for a bounty reward?

Labels: -reward-topanel reward-500 reward-unpaid
@mdhgriffiths: as it happens... this DOES qualify for a provisional $500 Chromium Security Reward :D We normally don't reward things not reported as Security issues, but see below for rules etc.

NOTE: normally we do not reward security bugs unless initially filed with the
security template. Sometimes we make an exception for the first time an individual
files a security bug as a non-security issue.
For full guidelines on filing security bugs, see:

Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
@scarybeasts: Thank you! I can't wait to brag to my co-workers lol :P

I'll be sure to test more next time and to properly label the issue. How do I go about getting this bounty?

Thanks again! You, and Google have just made my day! 
@mdhgriffiths: first we get the fix out to the stable channel (should be within a couple of weeks thanks to our 6-week release cycle). Then, ping to start the payment process. Thanks :)
Thanks, Sounds good! Let me know when it's good :)
Labels: CVE-2011-1441
Ok, ping to set up payment :)

Comment 18 Deleted

Sweet! Thanks again! :) I've sent cevans an email. (Thats what you meant by ping, right? :P)
Labels: -reward-unpaid
Labels: SecImpacts-Stable
Batch update.
Labels: -Restrict-View-SecurityNotify
Lifting view restrictions.
Status: Fixed
Project Member

Comment 24 by, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 25 by, Mar 10 2013

Labels: -Area-WebKit -WebKit-Core -SecSeverity-High -Mstone-11 -Type-Security -SecImpacts-Stable Cr-Content Security-Impact-Stable Type-Bug-Security Security-Severity-High M-11 Cr-Content-Core
Project Member

Comment 26 by, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member

Comment 27 by, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 28 by, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 29 by, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 30 by, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member

Comment 31 by, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted
Project Member

Comment 34 by, Jul 29

Labels: -Pri-2 Pri-1

Sign in to add a comment