Skip to site navigation (Press enter)

[webkit-changes] [126681] trunk

michelangelo Sat, 25 Aug 2012 02:23:11 -0700

Title: [126681] trunk

Revision: 126681
Author: [email protected]
Date: 2012-08-25 02:23:44 -0700 (Sat, 25 Aug 2012)

Log Message

[Crash] Null pointer in CSSParser::parseMixFunction()
https://bugs.webkit.org/show_bug.cgi?id=94998


Reviewed by Benjamin Poulain.

Source/WebCore:

parseMixFunction() may try to access invalid memory when the arguments of the
mix() function are comma-terminated.

* css/CSSParser.cpp:
(WebCore::CSSParser::parseMixFunction):

LayoutTests:

New test cases added to check invalid comma-terminated values within mix().

* css3/filters/custom/custom-filter-property-parsing-invalid-expected.txt:
* css3/filters/script-tests/custom-filter-property-parsing-invalid.js:

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/LayoutTests/css3/filters/custom/custom-filter-property-parsing-invalid-expected.txt
trunk/LayoutTests/css3/filters/script-tests/custom-filter-property-parsing-invalid.js
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/css/CSSParser.cpp

Diff

Modified: trunk/LayoutTests/ChangeLog (126680 => 126681)


--- trunk/LayoutTests/ChangeLog	2012-08-25 05:33:44 UTC (rev 126680)
+++ trunk/LayoutTests/ChangeLog	2012-08-25 09:23:44 UTC (rev 126681)
@@ -1,3 +1,15 @@
+2012-08-25  Michelangelo De Simone  <[email protected]>
+
+        [Crash] Null pointer in CSSParser::parseMixFunction()
+        https://bugs.webkit.org/show_bug.cgi?id=94998
+
+        Reviewed by Benjamin Poulain.
+
+        New test cases added to check invalid comma-terminated values within mix().
+
+        * css3/filters/custom/custom-filter-property-parsing-invalid-expected.txt:
+        * css3/filters/script-tests/custom-filter-property-parsing-invalid.js:
+
 2012-08-24  Zan Dobersek  <[email protected]>
 
         Unreviewed GTK gardening.

Modified: trunk/LayoutTests/css3/filters/custom/custom-filter-property-parsing-invalid-expected.txt (126680 => 126681)


--- trunk/LayoutTests/css3/filters/custom/custom-filter-property-parsing-invalid-expected.txt	2012-08-25 05:33:44 UTC (rev 126680)
+++ trunk/LayoutTests/css3/filters/custom/custom-filter-property-parsing-invalid-expected.txt	2012-08-25 09:23:44 UTC (rev 126681)
@@ -99,6 +99,16 @@
 PASS declaration.length is 0
 PASS declaration.getPropertyValue('-webkit-filter') is null
 
+Mix function with comma terminator : custom(none mix(url(shader), multiply clear,))
+PASS cssRule.type is 1
+PASS declaration.length is 0
+PASS declaration.getPropertyValue('-webkit-filter') is null
+
+Mix function with one comma : custom(none mix(,))
+PASS cssRule.type is 1
+PASS declaration.length is 0
+PASS declaration.getPropertyValue('-webkit-filter') is null
+
 No shader : custom(none, 10 20)
 PASS cssRule.type is 1
 PASS declaration.length is 0

Modified: trunk/LayoutTests/css3/filters/script-tests/custom-filter-property-parsing-invalid.js (126680 => 126681)


--- trunk/LayoutTests/css3/filters/script-tests/custom-filter-property-parsing-invalid.js	2012-08-25 05:33:44 UTC (rev 126680)
+++ trunk/LayoutTests/css3/filters/script-tests/custom-filter-property-parsing-invalid.js	2012-08-25 09:23:44 UTC (rev 126681)
@@ -47,6 +47,8 @@
 testInvalidFilterRule("Mix function with alpha compositing mode 'highlight', which should only apply to -webkit-background-composite", "custom(none mix(url(shader) highlight))");
 testInvalidFilterRule("Mix function with 4 args", "custom(none mix(url(shader) multiply clear normal))");
 testInvalidFilterRule("Mix function with comma separators", "custom(none mix(url(shader), multiply, clear))");
+testInvalidFilterRule("Mix function with comma terminator", "custom(none mix(url(shader), multiply clear,))");
+testInvalidFilterRule("Mix function with one comma", "custom(none mix(,))");
 
 testInvalidFilterRule("No shader", "custom(none, 10 20)");
 testInvalidFilterRule("Too many mesh sizes", "custom(none, 10 20 30)");

Modified: trunk/Source/WebCore/ChangeLog (126680 => 126681)


--- trunk/Source/WebCore/ChangeLog	2012-08-25 05:33:44 UTC (rev 126680)
+++ trunk/Source/WebCore/ChangeLog	2012-08-25 09:23:44 UTC (rev 126681)
@@ -1,3 +1,16 @@
+2012-08-25  Michelangelo De Simone  <[email protected]>
+
+        [Crash] Null pointer in CSSParser::parseMixFunction()
+        https://bugs.webkit.org/show_bug.cgi?id=94998
+
+        Reviewed by Benjamin Poulain.
+
+        parseMixFunction() may try to access invalid memory when the arguments of the
+        mix() function are comma-terminated.
+
+        * css/CSSParser.cpp:
+        (WebCore::CSSParser::parseMixFunction):
+
 2012-08-24  Helder Correia  <[email protected]>
 
         [Texmap] Move TextureMapperGL to use GraphicsContext3D

Modified: trunk/Source/WebCore/css/CSSParser.cpp (126680 => 126681)


--- trunk/Source/WebCore/css/CSSParser.cpp	2012-08-25 05:33:44 UTC (rev 126680)
+++ trunk/Source/WebCore/css/CSSParser.cpp	2012-08-25 09:23:44 UTC (rev 126681)
@@ -7445,6 +7445,9 @@
         return 0;
 
     CSSParserValueList* argsList = value->function->args.get();
+    if (!argsList)
+        return 0;
+
     unsigned numArgs = argsList->size();
     if (numArgs < 1 || numArgs > 3)
         return 0;

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes