[webkit-changes] [283562] trunk

Tue, 05 Oct 2021 11:27:40 -0700

Title: [283562] trunk
Revision
283562
Author
[email protected]
Date
2021-10-05 11:26:52 -0700 (Tue, 05 Oct 2021)

Log Message

Unsupported blending of mixed length types leads to nullptr deref when accessing m_value.calc in CSSPrimitiveValue::primitiveType()
https://bugs.webkit.org/show_bug.cgi?id=230929

Patch by Gabriel Nava Marino <[email protected]> on 2021-10-05
Source/WebCore:

Reviewed by Darin Adler.

Test: fast/layoutformattingcontext/fit-content-min-height-animation.html

* css/CSSPrimitiveValue.cpp:
(WebCore::CSSPrimitiveValue::init):
* platform/Length.cpp:
(WebCore::blendMixedTypes):

LayoutTests:

Reviewed by Reviewed by Darin Adler.

* fast/layoutformattingcontext/fit-content-min-height-animation-expected.txt: Added.
* fast/layoutformattingcontext/fit-content-min-height-animation.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (283561 => 283562)


--- trunk/LayoutTests/ChangeLog	2021-10-05 18:19:17 UTC (rev 283561)
+++ trunk/LayoutTests/ChangeLog	2021-10-05 18:26:52 UTC (rev 283562)
@@ -1,3 +1,13 @@
+2021-10-05  Gabriel Nava Marino  <[email protected]>
+
+        Unsupported blending of mixed length types leads to nullptr deref when accessing m_value.calc in CSSPrimitiveValue::primitiveType()
+        https://bugs.webkit.org/show_bug.cgi?id=230929
+
+        Reviewed by Reviewed by Darin Adler.
+
+        * fast/layoutformattingcontext/fit-content-min-height-animation-expected.txt: Added.
+        * fast/layoutformattingcontext/fit-content-min-height-animation.html: Added.
+
 2021-10-05  Nikos Mouchtaris  <[email protected]>
 
         radial-gradient does not accept calc values that combine length and percent

Added: trunk/LayoutTests/fast/layoutformattingcontext/fit-content-min-height-animation-expected.txt (0 => 283562)


--- trunk/LayoutTests/fast/layoutformattingcontext/fit-content-min-height-animation-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/layoutformattingcontext/fit-content-min-height-animation-expected.txt	2021-10-05 18:26:52 UTC (rev 283562)
@@ -0,0 +1 @@
+PASS

Added: trunk/LayoutTests/fast/layoutformattingcontext/fit-content-min-height-animation.html (0 => 283562)


--- trunk/LayoutTests/fast/layoutformattingcontext/fit-content-min-height-animation.html	                        (rev 0)
+++ trunk/LayoutTests/fast/layoutformattingcontext/fit-content-min-height-animation.html	2021-10-05 18:26:52 UTC (rev 283562)
@@ -0,0 +1,25 @@
+<style>
+  @keyframes a0 {
+    from {
+      min-height: fit-content;
+    }
+  }
+  div {
+    animation-fill-mode: forwards;
+    animation-name: a0;
+    display: table;
+    min-height: calc(1px + 1%);
+  }
+</style>
+<script>
+  _onload_ = () => {
+    document.execCommand('SelectAll');
+    document.execCommand('Copy');
+    if (window.testRunner) {
+        testRunner.dumpAsText();
+    }
+  };
+</script>
+<div>
+PASS
+</div>

Modified: trunk/Source/WebCore/ChangeLog (283561 => 283562)


--- trunk/Source/WebCore/ChangeLog	2021-10-05 18:19:17 UTC (rev 283561)
+++ trunk/Source/WebCore/ChangeLog	2021-10-05 18:26:52 UTC (rev 283562)
@@ -1,3 +1,17 @@
+2021-10-05  Gabriel Nava Marino  <[email protected]>
+
+        Unsupported blending of mixed length types leads to nullptr deref when accessing m_value.calc in CSSPrimitiveValue::primitiveType()
+        https://bugs.webkit.org/show_bug.cgi?id=230929
+
+        Reviewed by Darin Adler.
+
+        Test: fast/layoutformattingcontext/fit-content-min-height-animation.html
+
+        * css/CSSPrimitiveValue.cpp:
+        (WebCore::CSSPrimitiveValue::init):
+        * platform/Length.cpp:
+        (WebCore::blendMixedTypes):
+
 2021-10-05  Nikos Mouchtaris  <[email protected]>
 
         radial-gradient does not accept calc values that combine length and percent

Modified: trunk/Source/WebCore/css/CSSPrimitiveValue.cpp (283561 => 283562)


--- trunk/Source/WebCore/css/CSSPrimitiveValue.cpp	2021-10-05 18:19:17 UTC (rev 283561)
+++ trunk/Source/WebCore/css/CSSPrimitiveValue.cpp	2021-10-05 18:26:52 UTC (rev 283562)
@@ -431,6 +431,9 @@
 
 void CSSPrimitiveValue::init(RefPtr<CSSCalcValue>&& c)
 {
+    // FIXME (231111): This init should take Ref<CSSCalcValue> instead.
+    if (!c)
+        return;
     setPrimitiveUnitType(CSSUnitType::CSS_CALC);
     m_hasCachedCSSText = false;
     m_value.calc = c.leakRef();

Modified: trunk/Source/WebCore/platform/Length.cpp (283561 => 283562)


--- trunk/Source/WebCore/platform/Length.cpp	2021-10-05 18:19:17 UTC (rev 283561)
+++ trunk/Source/WebCore/platform/Length.cpp	2021-10-05 18:26:52 UTC (rev 283562)
@@ -302,6 +302,9 @@
     if (!from.isCalculated() && !to.isPercent() && (!context.progress || to.isZero()))
         return blend(from, Length(0, from.type()), context);
 
+    if (from.isIntrinsicOrAuto() || to.isIntrinsicOrAuto() || from.isRelative() || to.isRelative())
+        return { 0, LengthType::Fixed };
+
     auto blend = makeUnique<CalcExpressionBlendLength>(from, to, context.progress);
     return Length(CalculationValue::create(WTFMove(blend), ValueRange::All));
 }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to