A use after free issue exists in WebKit's rendering of HTML document
subtrees. Visiting a maliciously crafted website may lead to an unexpected
application termination or arbitrary code execution. This issue is
addressed through improved rendering of HTML document subtrees.
References:
Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=37760
Trac: http://trac.webkit.org/changeset/59263
Acknowledgements:
Red Hat would like to thank Drew Yao of Apple Product Security for
responsibly reporting this issue. Upstream acknowledges James Robinson of
Google Inc. as the original reporter.
Based on the code, this looks applicable to webkitgtk (1.2.0, svn r56916) and qt (4.6.2, svn r50154).
The upstream reproducer, however, does not crash webkitgtk or qt.