[webkit-changes] [272227] trunk

Tue, 02 Feb 2021 12:18:41 -0800

Title: [272227] trunk
Revision
272227
Author
[email protected]
Date
2021-02-02 12:18:01 -0800 (Tue, 02 Feb 2021)

Log Message

Assertion failure when calling matchMedia('a'.repeat(2 ** 30)) in JS
https://bugs.webkit.org/show_bug.cgi?id=221272
<rdar://66323284>

Reviewed by Simon Fraser.

Source/WebCore:

Update code to properly deal with parsing failing due to the query string being too
large.

Test: fast/css/window-watch-media-large-query.html

* css/MediaList.cpp:
(WebCore::MediaQuerySet::create):
* css/parser/MediaQueryParser.cpp:
(WebCore::MediaQueryParser::parseMediaQuerySet):

LayoutTests:

Add layout test coverage.

* fast/css/window-watch-media-large-query-expected.txt: Added.
* fast/css/window-watch-media-large-query.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (272226 => 272227)


--- trunk/LayoutTests/ChangeLog	2021-02-02 20:13:54 UTC (rev 272226)
+++ trunk/LayoutTests/ChangeLog	2021-02-02 20:18:01 UTC (rev 272227)
@@ -1,3 +1,16 @@
+2021-02-02  Chris Dumez  <[email protected]>
+
+        Assertion failure when calling matchMedia('a'.repeat(2 ** 30)) in JS
+        https://bugs.webkit.org/show_bug.cgi?id=221272
+        <rdar://66323284>
+
+        Reviewed by Simon Fraser.
+
+        Add layout test coverage.
+
+        * fast/css/window-watch-media-large-query-expected.txt: Added.
+        * fast/css/window-watch-media-large-query.html: Added.
+
 2021-02-02  Amir Mark Jr  <[email protected]>
 
         [BigSur wk1] imported/w3c/web-platform-tests/media-source/mediasource-addsourcebuffer.html is consistently failing

Added: trunk/LayoutTests/fast/css/window-watch-media-large-query-expected.txt (0 => 272227)


--- trunk/LayoutTests/fast/css/window-watch-media-large-query-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/css/window-watch-media-large-query-expected.txt	2021-02-02 20:18:01 UTC (rev 272227)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: matchMedia returned: [object MediaQueryList]
+This test passes if it does not crash

Added: trunk/LayoutTests/fast/css/window-watch-media-large-query.html (0 => 272227)


--- trunk/LayoutTests/fast/css/window-watch-media-large-query.html	                        (rev 0)
+++ trunk/LayoutTests/fast/css/window-watch-media-large-query.html	2021-02-02 20:18:01 UTC (rev 272227)
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This test passes if it does not crash</p>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+let query = null;
+try {
+  query = 'a'.repeat(2 ** 30);
+} catch (e) {
+  query = 'a';
+  for (let i = 0; i < 2 ** 30; i++)
+    query += 'a';
+}
+try {
+    let result = window.matchMedia(query);
+    console.log("matchMedia returned: " + result);
+} catch (e) {
+    console.log("matchMedia threw: " + e);
+}
+</script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (272226 => 272227)


--- trunk/Source/WebCore/ChangeLog	2021-02-02 20:13:54 UTC (rev 272226)
+++ trunk/Source/WebCore/ChangeLog	2021-02-02 20:18:01 UTC (rev 272227)
@@ -1,3 +1,21 @@
+2021-02-02  Chris Dumez  <[email protected]>
+
+        Assertion failure when calling matchMedia('a'.repeat(2 ** 30)) in JS
+        https://bugs.webkit.org/show_bug.cgi?id=221272
+        <rdar://66323284>
+
+        Reviewed by Simon Fraser.
+
+        Update code to properly deal with parsing failing due to the query string being too
+        large.
+
+        Test: fast/css/window-watch-media-large-query.html
+
+        * css/MediaList.cpp:
+        (WebCore::MediaQuerySet::create):
+        * css/parser/MediaQueryParser.cpp:
+        (WebCore::MediaQueryParser::parseMediaQuerySet):
+
 2021-02-02  Sam Weinig  <[email protected]>
 
         Fix long standing FIXME in parseNumericColor about not doubly clamping color components

Modified: trunk/Source/WebCore/css/MediaList.cpp (272226 => 272227)


--- trunk/Source/WebCore/css/MediaList.cpp	2021-02-02 20:13:54 UTC (rev 272226)
+++ trunk/Source/WebCore/css/MediaList.cpp	2021-02-02 20:18:01 UTC (rev 272227)
@@ -65,8 +65,12 @@
 {
     if (mediaString.isEmpty())
         return MediaQuerySet::create();
+
+    auto parsedMediaQuerySet = MediaQueryParser::parseMediaQuerySet(mediaString, context);
+    if (UNLIKELY(!parsedMediaQuerySet))
+        return MediaQuerySet::create();
     
-    return MediaQueryParser::parseMediaQuerySet(mediaString, context).releaseNonNull();
+    return parsedMediaQuerySet.releaseNonNull();
 }
 
 MediaQuerySet::MediaQuerySet() = default;

Modified: trunk/Source/WebCore/css/parser/MediaQueryParser.cpp (272226 => 272227)


--- trunk/Source/WebCore/css/parser/MediaQueryParser.cpp	2021-02-02 20:13:54 UTC (rev 272226)
+++ trunk/Source/WebCore/css/parser/MediaQueryParser.cpp	2021-02-02 20:18:01 UTC (rev 272227)
@@ -39,7 +39,10 @@
 
 RefPtr<MediaQuerySet> MediaQueryParser::parseMediaQuerySet(const String& queryString, MediaQueryParserContext context)
 {
-    return parseMediaQuerySet(CSSTokenizer(queryString).tokenRange(), context);
+    auto tokenizer = CSSTokenizer::tryCreate(queryString);
+    if (UNLIKELY(!tokenizer))
+        return nullptr;
+    return parseMediaQuerySet(tokenizer->tokenRange(), context);
 }
 
 RefPtr<MediaQuerySet> MediaQueryParser::parseMediaQuerySet(CSSParserTokenRange range, MediaQueryParserContext context)

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to