Title: [261830] trunk
- Revision
- 261830
- Author
- commit-qu...@webkit.org
- Date
- 2020-05-18 13:49:30 -0700 (Mon, 18 May 2020)
Log Message
Null Ptr Deref @ WebCore::CSSValue::classType
https://bugs.webkit.org/show_bug.cgi?id=212036
Patch by Pinki Gyanchandani <pgyanchand...@apple.com> on 2020-05-18
Reviewed by Geoffrey Garen.
Source/WebCore:
Calculated value for a primitive value type can be NULL for a CSS property. Added a null check before dereferencing it.
Test: editing/execCommand/null_calc_primitive_value_for_css_property.html
* css/CSSPrimitiveValue.cpp:
(WebCore::CSSPrimitiveValue::formatNumberForCustomCSSText const):
LayoutTests:
Added a regression test.
* editing/execCommand/null_calc_primitive_value_for_css_property-expected.txt: Added.
* editing/execCommand/null_calc_primitive_value_for_css_property.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (261829 => 261830)
--- trunk/LayoutTests/ChangeLog 2020-05-18 20:49:23 UTC (rev 261829)
+++ trunk/LayoutTests/ChangeLog 2020-05-18 20:49:30 UTC (rev 261830)
@@ -1,3 +1,15 @@
+2020-05-18 Pinki Gyanchandani <pgyanchand...@apple.com>
+
+ Null Ptr Deref @ WebCore::CSSValue::classType
+ https://bugs.webkit.org/show_bug.cgi?id=212036
+
+ Reviewed by Geoffrey Garen.
+
+ Added a regression test.
+
+ * editing/execCommand/null_calc_primitive_value_for_css_property-expected.txt: Added.
+ * editing/execCommand/null_calc_primitive_value_for_css_property.html: Added.
+
2020-05-15 Lauro Moura <lmo...@igalia.com>
[GTK][WPE] Rebaseline security/block-test-no-port.html
Added: trunk/LayoutTests/editing/execCommand/null_calc_primitive_value_for_css_property-expected.txt (0 => 261830)
--- trunk/LayoutTests/editing/execCommand/null_calc_primitive_value_for_css_property-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/execCommand/null_calc_primitive_value_for_css_property-expected.txt 2020-05-18 20:49:30 UTC (rev 261830)
@@ -0,0 +1 @@
+The test passes if there is no crash.
Added: trunk/LayoutTests/editing/execCommand/null_calc_primitive_value_for_css_property.html (0 => 261830)
--- trunk/LayoutTests/editing/execCommand/null_calc_primitive_value_for_css_property.html (rev 0)
+++ trunk/LayoutTests/editing/execCommand/null_calc_primitive_value_for_css_property.html 2020-05-18 20:49:30 UTC (rev 261830)
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<style>
+ins { -webkit-user-modify: read-write-plaintext-only; padding-top: min(0.567808180561cm,0.646823110843rem,0.220603270448cm,0.306470816913cm,4%) }
+</style>
+<script>
+
+function cssPrimitiveValTest() {
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ document.getSelection().extend(x);
+ document.execCommand("insertHTML", false, "The test passes if there is no crash.");
+}
+</script>
+
+<body _onload_=cssPrimitiveValTest()>
+<ins id="x">
+
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (261829 => 261830)
--- trunk/Source/WebCore/ChangeLog 2020-05-18 20:49:23 UTC (rev 261829)
+++ trunk/Source/WebCore/ChangeLog 2020-05-18 20:49:30 UTC (rev 261830)
@@ -1,3 +1,17 @@
+2020-05-18 Pinki Gyanchandani <pgyanchand...@apple.com>
+
+ Null Ptr Deref @ WebCore::CSSValue::classType
+ https://bugs.webkit.org/show_bug.cgi?id=212036
+
+ Reviewed by Geoffrey Garen.
+
+ Calculated value for a primitive value type can be NULL for a CSS property. Added a null check before dereferencing it.
+
+ Test: editing/execCommand/null_calc_primitive_value_for_css_property.html
+
+ * css/CSSPrimitiveValue.cpp:
+ (WebCore::CSSPrimitiveValue::formatNumberForCustomCSSText const):
+
2020-05-18 Simon Fraser <simon.fra...@apple.com>
Implement conversion between P3 and sRGB color
Modified: trunk/Source/WebCore/css/CSSPrimitiveValue.cpp (261829 => 261830)
--- trunk/Source/WebCore/css/CSSPrimitiveValue.cpp 2020-05-18 20:49:23 UTC (rev 261829)
+++ trunk/Source/WebCore/css/CSSPrimitiveValue.cpp 2020-05-18 20:49:30 UTC (rev 261830)
@@ -1090,6 +1090,8 @@
case CSSUnitType::CSS_PAIR:
return pairValue()->cssText();
case CSSUnitType::CSS_CALC:
+ if (!m_value.calc)
+ break;
return m_value.calc->cssText();
case CSSUnitType::CSS_SHAPE:
return m_value.shape->cssText();
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
