Title: [217227] trunk
- Revision
- 217227
- Author
- an...@apple.com
- Date
- 2017-05-22 11:16:18 -0700 (Mon, 22 May 2017)
Log Message
Crash in WebCore::StyleRuleKeyframes::findKeyframeIndex
https://bugs.webkit.org/show_bug.cgi?id=170756
<rdar://problem/31573157>
Reviewed by Andreas Kling.
Source/WebCore:
Using a malformed key with CSSKeyframesRule.findRule crashes because
CSSParser::parseKeyframeKeyList returns null which is then dereferenced.
* css/CSSKeyframesRule.cpp:
(WebCore::StyleRuleKeyframes::findKeyframeIndex): Null test.
LayoutTests:
Expand the tests to cover the malformed key case.
* animations/keyframes-rule.html:
* animations/unprefixed-keyframes-rule.html:
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (217226 => 217227)
--- trunk/LayoutTests/ChangeLog 2017-05-22 18:11:51 UTC (rev 217226)
+++ trunk/LayoutTests/ChangeLog 2017-05-22 18:16:18 UTC (rev 217227)
@@ -1,3 +1,16 @@
+2017-05-22 Antti Koivisto <an...@apple.com>
+
+ Crash in WebCore::StyleRuleKeyframes::findKeyframeIndex
+ https://bugs.webkit.org/show_bug.cgi?id=170756
+ <rdar://problem/31573157>
+
+ Reviewed by Andreas Kling.
+
+ Expand the tests to cover the malformed key case.
+
+ * animations/keyframes-rule.html:
+ * animations/unprefixed-keyframes-rule.html:
+
2017-05-22 youenn fablet <you...@apple.com>
Resync web-platform-tests up to 8df7c9c215678328212f232ce0b5270c505a8563
Modified: trunk/LayoutTests/animations/keyframes-rule-expected.txt (217226 => 217227)
--- trunk/LayoutTests/animations/keyframes-rule-expected.txt 2017-05-22 18:11:51 UTC (rev 217226)
+++ trunk/LayoutTests/animations/keyframes-rule-expected.txt 2017-05-22 18:16:18 UTC (rev 217227)
@@ -57,6 +57,9 @@
Try to find a rule that doesn't exist
PASS Non-existent rule was not found
+Try to find a rule using a malformed key
+PASS rule is null
+
Delete a rule
PASS rules2.length is 2
PASS rules2.item(0).type is window.CSSRule.KEYFRAME_RULE
Modified: trunk/LayoutTests/animations/keyframes-rule.html (217226 => 217227)
--- trunk/LayoutTests/animations/keyframes-rule.html 2017-05-22 18:11:51 UTC (rev 217226)
+++ trunk/LayoutTests/animations/keyframes-rule.html 2017-05-22 18:16:18 UTC (rev 217227)
@@ -161,6 +161,13 @@
testPassed("Non-existent rule was not found");
debug("");
+debug("Try to find a rule using a malformed key");
+
+rule = keyframes2.findRule("1");
+
+shouldBe("rule", "null");
+
+debug("");
debug("Delete a rule");
keyframes2.deleteRule("50%");
Modified: trunk/LayoutTests/animations/unprefixed-keyframes-rule-expected.txt (217226 => 217227)
--- trunk/LayoutTests/animations/unprefixed-keyframes-rule-expected.txt 2017-05-22 18:11:51 UTC (rev 217226)
+++ trunk/LayoutTests/animations/unprefixed-keyframes-rule-expected.txt 2017-05-22 18:16:18 UTC (rev 217227)
@@ -57,6 +57,9 @@
Try to find a rule that doesn't exist
PASS Non-existent rule was not found
+Try to find a rule using a malformed key
+PASS rule is null
+
Delete a rule
PASS rules2.length is 2
PASS rules2.item(0).type is window.CSSRule.KEYFRAME_RULE
Modified: trunk/LayoutTests/animations/unprefixed-keyframes-rule.html (217226 => 217227)
--- trunk/LayoutTests/animations/unprefixed-keyframes-rule.html 2017-05-22 18:11:51 UTC (rev 217226)
+++ trunk/LayoutTests/animations/unprefixed-keyframes-rule.html 2017-05-22 18:16:18 UTC (rev 217227)
@@ -161,6 +161,13 @@
testPassed("Non-existent rule was not found");
debug("");
+debug("Try to find a rule using a malformed key");
+
+rule = keyframes2.findRule("1");
+
+shouldBe("rule", "null");
+
+debug("");
debug("Delete a rule");
keyframes2.deleteRule("50%");
Modified: trunk/Source/WebCore/ChangeLog (217226 => 217227)
--- trunk/Source/WebCore/ChangeLog 2017-05-22 18:11:51 UTC (rev 217226)
+++ trunk/Source/WebCore/ChangeLog 2017-05-22 18:16:18 UTC (rev 217227)
@@ -1,3 +1,17 @@
+2017-05-22 Antti Koivisto <an...@apple.com>
+
+ Crash in WebCore::StyleRuleKeyframes::findKeyframeIndex
+ https://bugs.webkit.org/show_bug.cgi?id=170756
+ <rdar://problem/31573157>
+
+ Reviewed by Andreas Kling.
+
+ Using a malformed key with CSSKeyframesRule.findRule crashes because
+ CSSParser::parseKeyframeKeyList returns null which is then dereferenced.
+
+ * css/CSSKeyframesRule.cpp:
+ (WebCore::StyleRuleKeyframes::findKeyframeIndex): Null test.
+
2017-05-22 Wenson Hsieh <wenson_hs...@apple.com>
Remove unused documentIsHandlingNonDefaultDrag plumbing for WebKit2
Modified: trunk/Source/WebCore/css/CSSKeyframesRule.cpp (217226 => 217227)
--- trunk/Source/WebCore/css/CSSKeyframesRule.cpp 2017-05-22 18:11:51 UTC (rev 217226)
+++ trunk/Source/WebCore/css/CSSKeyframesRule.cpp 2017-05-22 18:16:18 UTC (rev 217227)
@@ -105,6 +105,9 @@
auto keys = CSSParser::parseKeyframeKeyList(key);
+ if (!keys)
+ return notFound;
+
for (size_t i = m_keyframes.size(); i--; ) {
if (m_keyframes[i]->keys() == *keys)
return i;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
