Skip to site navigation (Press enter)

[webkit-changes] [124723] trunk

macpherson Sun, 05 Aug 2012 18:22:27 -0700

Title: [124723] trunk

Revision: 124723
Author: [email protected]
Date: 2012-08-05 18:22:40 -0700 (Sun, 05 Aug 2012)

Log Message

Fix null pointer dereference when CSSParser::sinkFloatingValueList() returns null and is passed to storeVariableDeclaration().
https://bugs.webkit.org/show_bug.cgi?id=92461


Reviewed by Eric Seidel.

Source/WebCore:

Invalid variable lists could cause CSSGrammar.y to pass null as value to storeVariableDeclaration, so we now check for null.

Test: fast/css/variables/invalid-value-list-crash.html

* css/CSSParser.cpp:
(WebCore::CSSParser::storeVariableDeclaration):

LayoutTests:

Test case that causes CSSParser::storeVariableDeclaration to be passed a null value.

* fast/css/variables/invalid-value-list-crash-expected.txt: Added.
* fast/css/variables/invalid-value-list-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/css/CSSParser.cpp

Added Paths

trunk/LayoutTests/fast/css/variables/invalid-value-list-crash-expected.txt
trunk/LayoutTests/fast/css/variables/invalid-value-list-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (124722 => 124723)


--- trunk/LayoutTests/ChangeLog	2012-08-06 01:19:58 UTC (rev 124722)
+++ trunk/LayoutTests/ChangeLog	2012-08-06 01:22:40 UTC (rev 124723)
@@ -1,3 +1,15 @@
+2012-08-05  Luke Macpherson   <[email protected]>
+
+        Fix null pointer dereference when CSSParser::sinkFloatingValueList() returns null and is passed to storeVariableDeclaration().
+        https://bugs.webkit.org/show_bug.cgi?id=92461
+
+        Reviewed by Eric Seidel.
+
+        Test case that causes CSSParser::storeVariableDeclaration to be passed a null value.
+
+        * fast/css/variables/invalid-value-list-crash-expected.txt: Added.
+        * fast/css/variables/invalid-value-list-crash.html: Added.
+
 2012-08-05  Kent Tamura  <[email protected]>
 
         [Chromium] Updte text expectation.

Added: trunk/LayoutTests/fast/css/variables/invalid-value-list-crash-expected.txt (0 => 124723)


--- trunk/LayoutTests/fast/css/variables/invalid-value-list-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/css/variables/invalid-value-list-crash-expected.txt	2012-08-06 01:22:40 UTC (rev 124723)
@@ -0,0 +1 @@
+This test is successful if it does not crash.

Added: trunk/LayoutTests/fast/css/variables/invalid-value-list-crash.html (0 => 124723)


--- trunk/LayoutTests/fast/css/variables/invalid-value-list-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/css/variables/invalid-value-list-crash.html	2012-08-06 01:22:40 UTC (rev 124723)
@@ -0,0 +1,11 @@
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+internals.settings.setCSSVariablesEnabled(true);
+</script>
+<style>
+div {
+-webkit-var-a: -webkit-var(b) &#0;
+}
+</style>
+This test is successful if it does not crash.

Modified: trunk/Source/WebCore/ChangeLog (124722 => 124723)


--- trunk/Source/WebCore/ChangeLog	2012-08-06 01:19:58 UTC (rev 124722)
+++ trunk/Source/WebCore/ChangeLog	2012-08-06 01:22:40 UTC (rev 124723)
@@ -1,3 +1,17 @@
+2012-08-05  Luke Macpherson   <[email protected]>
+
+        Fix null pointer dereference when CSSParser::sinkFloatingValueList() returns null and is passed to storeVariableDeclaration().
+        https://bugs.webkit.org/show_bug.cgi?id=92461
+
+        Reviewed by Eric Seidel.
+
+        Invalid variable lists could cause CSSGrammar.y to pass null as value to storeVariableDeclaration, so we now check for null.
+
+        Test: fast/css/variables/invalid-value-list-crash.html
+
+        * css/CSSParser.cpp:
+        (WebCore::CSSParser::storeVariableDeclaration):
+
 2012-08-03  Kent Tamura  <[email protected]>
 
         [Chromium-win] Use the default locale only if the browser locale matches to it

Modified: trunk/Source/WebCore/css/CSSParser.cpp (124722 => 124723)


--- trunk/Source/WebCore/css/CSSParser.cpp	2012-08-06 01:19:58 UTC (rev 124722)
+++ trunk/Source/WebCore/css/CSSParser.cpp	2012-08-06 01:22:40 UTC (rev 124723)
@@ -3025,6 +3025,10 @@
 
 void CSSParser::storeVariableDeclaration(const CSSParserString& name, PassOwnPtr<CSSParserValueList> value, bool important)
 {
+    // When CSSGrammar.y encounters an invalid declaration it passes null for the CSSParserValueList, just bail.
+    if (!value)
+        return;
+    
     ASSERT(name.length > 12);
     AtomicString variableName = String(name.characters + 12, name.length - 12);

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes