Title: [87223] branches/safari-534-branch
- Revision
- 87223
- Author
- [email protected]
- Date
- 2011-05-24 15:58:41 -0700 (Tue, 24 May 2011)
Log Message
Merge r87083.
Modified Paths
Added Paths
Diff
Modified: branches/safari-534-branch/LayoutTests/ChangeLog (87222 => 87223)
--- branches/safari-534-branch/LayoutTests/ChangeLog 2011-05-24 22:53:42 UTC (rev 87222)
+++ branches/safari-534-branch/LayoutTests/ChangeLog 2011-05-24 22:58:41 UTC (rev 87223)
@@ -1,5 +1,20 @@
2011-05-24 Lucas Forschler <[email protected]>
+ Merged r87083.
+
+ 2011-05-23 Abhishek Arya <[email protected]>
+
+ Reviewed by Simon Fraser.
+
+ Tests that we do not crash when parsing css color for integer or
+ percentage values.
+ https://bugs.webkit.org/show_bug.cgi?id=61293
+
+ * fast/css/parse-color-int-or-percent-crash-expected.txt: Added.
+ * fast/css/parse-color-int-or-percent-crash.html: Added.
+
+2011-05-24 Lucas Forschler <[email protected]>
+
Merged r87026.
2011-05-21 Dan Bernstein <[email protected]>
Copied: branches/safari-534-branch/LayoutTests/fast/css/parse-color-int-or-percent-crash-expected.txt (from rev 87083, trunk/LayoutTests/fast/css/parse-color-int-or-percent-crash-expected.txt) (0 => 87223)
--- branches/safari-534-branch/LayoutTests/fast/css/parse-color-int-or-percent-crash-expected.txt (rev 0)
+++ branches/safari-534-branch/LayoutTests/fast/css/parse-color-int-or-percent-crash-expected.txt 2011-05-24 22:58:41 UTC (rev 87223)
@@ -0,0 +1 @@
+PASS
Copied: branches/safari-534-branch/LayoutTests/fast/css/parse-color-int-or-percent-crash.html (from rev 87083, trunk/LayoutTests/fast/css/parse-color-int-or-percent-crash.html) (0 => 87223)
--- branches/safari-534-branch/LayoutTests/fast/css/parse-color-int-or-percent-crash.html (rev 0)
+++ branches/safari-534-branch/LayoutTests/fast/css/parse-color-int-or-percent-crash.html 2011-05-24 22:58:41 UTC (rev 87223)
@@ -0,0 +1,21 @@
+<html>
+ <body>
+ <script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+ var stopElement = document.createElementNS("http://www.w3.org/2000/svg", "stop");
+ stopElement.style.stopColor = "blue";
+
+ var colorString = "rgb(00000000000000000000";
+ var e;
+ try {
+ stopElement.style.getPropertyCSSValue("stop-color").setRGBColor(colorString);
+ } catch (err) {
+ e = err;
+ }
+
+ document.body.innerHTML = (e && e.SVG_INVALID_VALUE_ERR == 1) ? "PASS" : "FAIL";
+ </script>
+ </body>
+</html>
Modified: branches/safari-534-branch/Source/WebCore/ChangeLog (87222 => 87223)
--- branches/safari-534-branch/Source/WebCore/ChangeLog 2011-05-24 22:53:42 UTC (rev 87222)
+++ branches/safari-534-branch/Source/WebCore/ChangeLog 2011-05-24 22:58:41 UTC (rev 87223)
@@ -1,5 +1,22 @@
2011-05-24 Lucas Forschler <[email protected]>
+ Merged r87083.
+
+ 2011-05-23 Abhishek Arya <[email protected]>
+
+ Reviewed by Simon Fraser.
+
+ Terminate css color parsing on integers which are not followed
+ by a terminator.
+ https://bugs.webkit.org/show_bug.cgi?id=61293
+
+ Test: fast/css/parse-color-int-or-percent-crash.html
+
+ * css/CSSParser.cpp:
+ (WebCore::parseColorIntOrPercentage):
+
+2011-05-24 Lucas Forschler <[email protected]>
+
Merged r87026.
2011-05-21 Dan Bernstein <[email protected]>
Modified: branches/safari-534-branch/Source/WebCore/css/CSSParser.cpp (87222 => 87223)
--- branches/safari-534-branch/Source/WebCore/css/CSSParser.cpp 2011-05-24 22:53:42 UTC (rev 87222)
+++ branches/safari-534-branch/Source/WebCore/css/CSSParser.cpp 2011-05-24 22:58:41 UTC (rev 87223)
@@ -4159,6 +4159,9 @@
localValue = newValue;
}
+ if (current == end)
+ return false;
+
if (expect == CSSPrimitiveValue::CSS_NUMBER && (*current == '.' || *current == '%'))
return false;
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
