Diff
Modified: trunk/LayoutTests/ChangeLog (86770 => 86771)
--- trunk/LayoutTests/ChangeLog 2011-05-18 16:02:56 UTC (rev 86770)
+++ trunk/LayoutTests/ChangeLog 2011-05-18 16:08:39 UTC (rev 86771)
@@ -1,3 +1,19 @@
+2011-05-18 Rob Buis <[email protected]>
+
+ Reviewed by Nikolas Zimmermann.
+
+ NULL deref when SVG elements have table styles
+ https://bugs.webkit.org/show_bug.cgi?id=45561
+
+ * svg/custom/display-table-caption-foreignObject-expected.txt: Added.
+ * svg/custom/display-table-caption-foreignObject.svg: Added.
+ * svg/custom/display-table-caption-inherit-foreignObject-expected.txt: Added.
+ * svg/custom/display-table-caption-inherit-foreignObject.xhtml: Added.
+ * svg/custom/display-table-caption-inherit-text-expected.txt: Added.
+ * svg/custom/display-table-caption-inherit-text.xhtml: Added.
+ * svg/custom/display-table-caption-text-expected.txt: Added.
+ * svg/custom/display-table-caption-text.svg: Added.
+
2011-05-18 Adam Roben <[email protected]>
Skip a new test that fails due to unimplemented WTR features
Added: trunk/LayoutTests/svg/custom/display-table-caption-foreignObject-expected.txt (0 => 86771)
--- trunk/LayoutTests/svg/custom/display-table-caption-foreignObject-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/custom/display-table-caption-foreignObject-expected.txt 2011-05-18 16:08:39 UTC (rev 86771)
@@ -0,0 +1 @@
+This test PASSED if we don't crash when the display value is table-caption
Added: trunk/LayoutTests/svg/custom/display-table-caption-foreignObject.svg (0 => 86771)
--- trunk/LayoutTests/svg/custom/display-table-caption-foreignObject.svg (rev 0)
+++ trunk/LayoutTests/svg/custom/display-table-caption-foreignObject.svg 2011-05-18 16:08:39 UTC (rev 86771)
@@ -0,0 +1,7 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+ <script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ </script>
+ <foreignObject display="table-caption"><xhtml:div>This test PASSED if we don't crash when the display value is table-caption</xhtml:div></foreignObject>
+</svg>
Added: trunk/LayoutTests/svg/custom/display-table-caption-inherit-foreignObject-expected.txt (0 => 86771)
--- trunk/LayoutTests/svg/custom/display-table-caption-inherit-foreignObject-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/custom/display-table-caption-inherit-foreignObject-expected.txt 2011-05-18 16:08:39 UTC (rev 86771)
@@ -0,0 +1,2 @@
+This test PASSED if we don't crash when the display value is table-caption by using inherit
+
Added: trunk/LayoutTests/svg/custom/display-table-caption-inherit-foreignObject.xhtml (0 => 86771)
--- trunk/LayoutTests/svg/custom/display-table-caption-inherit-foreignObject.xhtml (rev 0)
+++ trunk/LayoutTests/svg/custom/display-table-caption-inherit-foreignObject.xhtml 2011-05-18 16:08:39 UTC (rev 86771)
@@ -0,0 +1,9 @@
+<div style="display:table-caption">
+ <svg xmlns="http://www.w3.org/2000/svg" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+ <script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ </script>
+ <foreignObject display="inherit"><xhtml:div>This test PASSED if we don't crash when the display value is table-caption by using inherit</xhtml:div></foreignObject>
+ </svg>
+</div>
Added: trunk/LayoutTests/svg/custom/display-table-caption-inherit-text-expected.txt (0 => 86771)
--- trunk/LayoutTests/svg/custom/display-table-caption-inherit-text-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/custom/display-table-caption-inherit-text-expected.txt 2011-05-18 16:08:39 UTC (rev 86771)
@@ -0,0 +1,2 @@
+This test PASSED if we don't crash when the display value is table-caption by using inherit
+
Added: trunk/LayoutTests/svg/custom/display-table-caption-inherit-text.xhtml (0 => 86771)
--- trunk/LayoutTests/svg/custom/display-table-caption-inherit-text.xhtml (rev 0)
+++ trunk/LayoutTests/svg/custom/display-table-caption-inherit-text.xhtml 2011-05-18 16:08:39 UTC (rev 86771)
@@ -0,0 +1,9 @@
+<div style="display:table-caption">
+ <svg xmlns="http://www.w3.org/2000/svg">
+ <script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ </script>
+ <text display="inherit">This test PASSED if we don't crash when the display value is table-caption by using inherit</text>
+ </svg>
+</div>
Added: trunk/LayoutTests/svg/custom/display-table-caption-text-expected.txt (0 => 86771)
--- trunk/LayoutTests/svg/custom/display-table-caption-text-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/custom/display-table-caption-text-expected.txt 2011-05-18 16:08:39 UTC (rev 86771)
@@ -0,0 +1 @@
+This test PASSED if we don't crash when the display value is table-caption
Added: trunk/LayoutTests/svg/custom/display-table-caption-text.svg (0 => 86771)
--- trunk/LayoutTests/svg/custom/display-table-caption-text.svg (rev 0)
+++ trunk/LayoutTests/svg/custom/display-table-caption-text.svg 2011-05-18 16:08:39 UTC (rev 86771)
@@ -0,0 +1,7 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+ <script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ </script>
+ <text display="table-caption">This test PASSED if we don't crash when the display value is table-caption</text>
+</svg>
Modified: trunk/Source/WebCore/ChangeLog (86770 => 86771)
--- trunk/Source/WebCore/ChangeLog 2011-05-18 16:02:56 UTC (rev 86770)
+++ trunk/Source/WebCore/ChangeLog 2011-05-18 16:08:39 UTC (rev 86771)
@@ -1,3 +1,23 @@
+2011-05-18 Rob Buis <[email protected]>
+
+ Reviewed by Nikolas Zimmermann.
+
+ NULL deref when SVG elements have table styles
+ https://bugs.webkit.org/show_bug.cgi?id=45561
+
+ Restrict computed CSS values for SVG display property to block, inline or none.
+
+ Tests: svg/custom/display-table-caption-foreignObject.svg
+ svg/custom/display-table-caption-inherit-foreignObject.xhtml
+ svg/custom/display-table-caption-inherit-text.xhtml
+ svg/custom/display-table-caption-text.svg
+
+ * css/CSSStyleSelector.cpp:
+ (WebCore::SVGDisplayPropertyGuard::SVGDisplayPropertyGuard):
+ (WebCore::SVGDisplayPropertyGuard::~SVGDisplayPropertyGuard):
+ (WebCore::isAcceptableForSVGElement):
+ (WebCore::CSSStyleSelector::applyProperty):
+
2011-05-18 Pavel Feldman <[email protected]>
Reviewed by Yury Semikhatsky.
Modified: trunk/Source/WebCore/css/CSSStyleSelector.cpp (86770 => 86771)
--- trunk/Source/WebCore/css/CSSStyleSelector.cpp 2011-05-18 16:02:56 UTC (rev 86770)
+++ trunk/Source/WebCore/css/CSSStyleSelector.cpp 2011-05-18 16:08:39 UTC (rev 86771)
@@ -7,6 +7,7 @@
* Copyright (C) 2007, 2008 Eric Seidel <[email protected]>
* Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.torchmobile.com/)
* Copyright (c) 2011, Code Aurora Forum. All rights reserved.
+ * Copyright (C) Research In Motion Limited 2011. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
@@ -3540,6 +3541,53 @@
return false;
}
+class SVGDisplayPropertyGuard {
+ WTF_MAKE_NONCOPYABLE(SVGDisplayPropertyGuard);
+public:
+ SVGDisplayPropertyGuard(Element*, RenderStyle*);
+ ~SVGDisplayPropertyGuard();
+private:
+#if ENABLE(SVG)
+ RenderStyle* m_style;
+ EDisplay m_originalDisplayPropertyValue;
+#endif
+};
+
+#if !ENABLE(SVG)
+inline SVGDisplayPropertyGuard::SVGDisplayPropertyGuard(Element*, RenderStyle*)
+{
+}
+
+inline SVGDisplayPropertyGuard::~SVGDisplayPropertyGuard()
+{
+}
+#else
+static inline bool isAcceptableForSVGElement(EDisplay displayPropertyValue)
+{
+ return displayPropertyValue == INLINE || displayPropertyValue == BLOCK || displayPropertyValue == NONE;
+}
+
+inline SVGDisplayPropertyGuard::SVGDisplayPropertyGuard(Element* element, RenderStyle* style)
+{
+ if (!(element && element->isSVGElement() && style->styleType() == NOPSEUDO)) {
+ m_originalDisplayPropertyValue = NONE;
+ m_style = 0;
+ return;
+ }
+ m_style = style;
+ m_originalDisplayPropertyValue = style->display();
+ ASSERT(isAcceptableForSVGElement(m_originalDisplayPropertyValue));
+}
+
+inline SVGDisplayPropertyGuard::~SVGDisplayPropertyGuard()
+{
+ if (!m_style || isAcceptableForSVGElement(m_style->display()))
+ return;
+ m_style->setDisplay(m_originalDisplayPropertyValue);
+}
+#endif
+
+
// SVG handles zooming in a different way compared to CSS. The whole document is scaled instead
// of each individual length value in the render style / tree. CSSPrimitiveValue::computeLength*()
// multiplies each resolved length with the zoom multiplier - so for SVG we need to disable that.
@@ -3611,7 +3659,8 @@
case CSSPropertyClear:
HANDLE_INHERIT_AND_INITIAL_AND_PRIMITIVE(clear, Clear)
return;
- case CSSPropertyDisplay:
+ case CSSPropertyDisplay: {
+ SVGDisplayPropertyGuard guard(m_element, m_style.get());
HANDLE_INHERIT_AND_INITIAL_AND_PRIMITIVE(display, Display)
#if ENABLE(WCSS)
if (primitiveValue && primitiveValue->getIdent() == CSSValueWapMarquee) {
@@ -3629,6 +3678,7 @@
}
#endif
return;
+ }
case CSSPropertyEmptyCells:
HANDLE_INHERIT_AND_INITIAL_AND_PRIMITIVE(emptyCells, EmptyCells)
return;
