[webkit-changes] [WebKit/WebKit] 429706: Crash in RenderStyle::fontCascade

Mon, 29 Jul 2024 22:35:24 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 4297065d4e78029ce0a054923693c2fced491cd5
      
https://github.com/WebKit/WebKit/commit/4297065d4e78029ce0a054923693c2fced491cd5
  Author: Kiet Ho <[email protected]>
  Date:   2024-07-29 (Mon, 29 Jul 2024)

  Changed paths:
    A LayoutTests/fast/canvas/canvas-filter-font-relative-unit-expected.txt
    A LayoutTests/fast/canvas/canvas-filter-font-relative-unit.html
    M Source/WebCore/css/parser/CSSPropertyParserWorkerSafe.cpp

  Log Message:
  -----------
  Crash in RenderStyle::fontCascade
rdar://132430589
https://bugs.webkit.org/show_bug.cgi?id=277029

Reviewed by Said Abou-Hallawa.

278000@main introduced support for CanvasRenderingContext2D.filter. The filter 
string
is parsed by CSSPropertyParserWorkerSafe::parseFilterString, which calls
Style::createFilterOperations to build a filter object from the filter
string. Style::createFilterOperations takes a CSSToLengthConversionData to help
convert CSS lengths in the filter string. If the length is a relative length
e.g "drop-shadow(10em)", CSSToLengthConversionData consults the element style to
figure out the length of an em. However, we didn't pass the current element 
style
to CSSToLengthConversionData, hence the style pointer it holds is null, and
trying to resolve a relative length crashes with a null pointer dereference.

Test: LayoutTests/fast/canvas/canvas-filter-font-relative-unit.html

* LayoutTests/fast/canvas/canvas-filter-font-relative-unit-expected.txt: Added.
* LayoutTests/fast/canvas/canvas-filter-font-relative-unit.html: Added.
* Source/WebCore/css/parser/CSSPropertyParserWorkerSafe.cpp:
(WebCore::CSSPropertyParserWorkerSafe::parseFilterString): Pass the current 
element style
to CSSToLengthConversionData.

Canonical link: https://commits.webkit.org/281546@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to