Skip to site navigation (Press enter)

[webkit-changes] [258625] trunk

commit-queue Tue, 17 Mar 2020 22:48:40 -0700

Title: [258625] trunk

Revision: 258625
Author: [email protected]
Date: 2020-03-17 22:47:14 -0700 (Tue, 17 Mar 2020)

Log Message

Crash in CSSPrimitiveValue::cleanup
https://bugs.webkit.org/show_bug.cgi?id=208316


Patch by Pinki Gyanchandani <[email protected]> on 2020-03-17
Reviewed by Ryosuke Niwa.

Source/WebCore:

Added a NULL check before calling deref() for CSSUnitType :: CSS_CALC.

During initialization of CSSCalcValue, createCSS returns nullptr when processing min() operator
and there is a category mismatch between length and percent for min() operator
as seen in this newly added test case.

Test: editing/execCommand/primitive-value-cleanup-minimal.html

* css/CSSPrimitiveValue.cpp:
(WebCore::CSSPrimitiveValue::cleanup):

LayoutTests:

Added modified version of testcase attached in 208316. Minimized version provided by Ryosuke Niwa.

* editing/execCommand/primitive-value-cleanup-minimal-expected.txt: Added.
* editing/execCommand/primitive-value-cleanup-minimal.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/css/CSSPrimitiveValue.cpp

Added Paths

trunk/LayoutTests/editing/execCommand/primitive-value-cleanup-minimal-expected.txt
trunk/LayoutTests/editing/execCommand/primitive-value-cleanup-minimal.html

Diff

Modified: trunk/LayoutTests/ChangeLog (258624 => 258625)


--- trunk/LayoutTests/ChangeLog	2020-03-18 04:45:56 UTC (rev 258624)
+++ trunk/LayoutTests/ChangeLog	2020-03-18 05:47:14 UTC (rev 258625)
@@ -1,3 +1,15 @@
+2020-03-17  Pinki Gyanchandani  <[email protected]>
+
+        Crash in CSSPrimitiveValue::cleanup
+        https://bugs.webkit.org/show_bug.cgi?id=208316
+
+        Reviewed by Ryosuke Niwa.
+
+        Added modified version of testcase attached in 208316. Minimized version provided by Ryosuke Niwa.
+
+        * editing/execCommand/primitive-value-cleanup-minimal-expected.txt: Added.
+        * editing/execCommand/primitive-value-cleanup-minimal.html: Added.
+
 2020-03-17  Lauro Moura  <[email protected]>
 
         [WPE] Gardening

Added: trunk/LayoutTests/editing/execCommand/primitive-value-cleanup-minimal-expected.txt (0 => 258625)


--- trunk/LayoutTests/editing/execCommand/primitive-value-cleanup-minimal-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/editing/execCommand/primitive-value-cleanup-minimal-expected.txt	2020-03-18 05:47:14 UTC (rev 258625)
@@ -0,0 +1,2 @@
+This test checks passes if there if no crash observed.
+

Added: trunk/LayoutTests/editing/execCommand/primitive-value-cleanup-minimal.html (0 => 258625)


--- trunk/LayoutTests/editing/execCommand/primitive-value-cleanup-minimal.html	                        (rev 0)
+++ trunk/LayoutTests/editing/execCommand/primitive-value-cleanup-minimal.html	2020-03-18 05:47:14 UTC (rev 258625)
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<script type="text/_javascript_">
+
+function primitiveValCleanUp() {
+    if (window.testRunner)
+        testRunner.dumpAsText();
+ 
+    document.execCommand("SelectAll");
+    document.documentElement.contentEditable = true;
+    document.execCommand('InsertOrderedList');
+    document.execCommand("InsertHTML",false,"This test checks passes if there if no crash observed.");
+};
+</script>
+
+<body _onload_=primitiveValCleanUp()>
+<style type="text/css">
+*{padding-top:min(0863.7rem,42.2%,7652926cm,774%);}
+</style>
+<missing-glyph>
+</body>
+</script>

Modified: trunk/Source/WebCore/ChangeLog (258624 => 258625)


--- trunk/Source/WebCore/ChangeLog	2020-03-18 04:45:56 UTC (rev 258624)
+++ trunk/Source/WebCore/ChangeLog	2020-03-18 05:47:14 UTC (rev 258625)
@@ -1,3 +1,21 @@
+2020-03-17  Pinki Gyanchandani  <[email protected]>
+
+        Crash in CSSPrimitiveValue::cleanup
+        https://bugs.webkit.org/show_bug.cgi?id=208316
+
+        Reviewed by Ryosuke Niwa.
+
+        Added a NULL check before calling deref() for CSSUnitType :: CSS_CALC.
+
+        During initialization of CSSCalcValue, createCSS returns nullptr when processing min() operator
+        and there is a category mismatch between length and percent for min() operator
+        as seen in this newly added test case.
+
+        Test: editing/execCommand/primitive-value-cleanup-minimal.html
+
+        * css/CSSPrimitiveValue.cpp:
+        (WebCore::CSSPrimitiveValue::cleanup):
+
 2020-03-17  Fujii Hironori  <[email protected]>
 
         SerializedScriptValue::decode should check bufferIsLargeEnoughToContain before allocating a buffer

Modified: trunk/Source/WebCore/css/CSSPrimitiveValue.cpp (258624 => 258625)


--- trunk/Source/WebCore/css/CSSPrimitiveValue.cpp	2020-03-18 04:45:56 UTC (rev 258624)
+++ trunk/Source/WebCore/css/CSSPrimitiveValue.cpp	2020-03-18 05:47:14 UTC (rev 258625)
@@ -452,7 +452,8 @@
         m_value.pair->deref();
         break;
     case CSSUnitType::CSS_CALC:
-        m_value.calc->deref();
+        if (m_value.calc)
+            m_value.calc->deref();
         break;
     case CSSUnitType::CSS_CALC_PERCENTAGE_WITH_NUMBER:
     case CSSUnitType::CSS_CALC_PERCENTAGE_WITH_LENGTH:

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes