[webkit-changes] [160766] trunk

[commit-queue]

Title: [160766] trunk

Revision

160766

Author

commit-qu...@webkit.org

Date

2013-12-18 07:51:55 -0800 (Wed, 18 Dec 2013)

Log Message

CSS: Null-pointer dereference with negative 'orphans' value.
https://bugs.webkit.org/show_bug.cgi?id=125924

Patch by Dániel Bátyai <dbatyai.u-sze...@partner.samsung.com> on 2013-12-18
Reviewed by Andreas Kling.

Source/WebCore:

orphans and widows should be positive integer.

spec link:
http://www.w3.org/TR/CSS2/page.html#propdef-orphans

Backported from Blink: https://codereview.chromium.org/108663009

Test: fast/css/negative-orphans-crash.html

* css/CSSParser.cpp:
(WebCore::CSSParser::parseValue):

LayoutTests:

Test with negative orphans value.

* fast/css/negative-orphans-crash-expected.txt: Added.
* fast/css/negative-orphans-crash.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/css/CSSParser.cpp

Added Paths

• trunk/LayoutTests/fast/css/negative-orphans-crash-expected.txt
• trunk/LayoutTests/fast/css/negative-orphans-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (160765 => 160766)

--- trunk/LayoutTests/ChangeLog	2013-12-18 15:05:49 UTC (rev 160765)
+++ trunk/LayoutTests/ChangeLog	2013-12-18 15:51:55 UTC (rev 160766)
@@ -1,3 +1,15 @@
+2013-12-18  Dániel Bátyai  <dbatyai.u-sze...@partner.samsung.com>
+
+        CSS: Null-pointer dereference with negative 'orphans' value.
+        https://bugs.webkit.org/show_bug.cgi?id=125924
+
+        Reviewed by Andreas Kling.
+
+        Test with negative orphans value.
+
+        * fast/css/negative-orphans-crash-expected.txt: Added.
+        * fast/css/negative-orphans-crash.html: Added.
+
 2013-12-18  Chris Fleizach  <cfleiz...@apple.com>
 
         AX: HTML spec change indicates @aria-required should trump @required on any element

Added: trunk/LayoutTests/fast/css/negative-orphans-crash-expected.txt (0 => 160766)

--- trunk/LayoutTests/fast/css/negative-orphans-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/css/negative-orphans-crash-expected.txt	2013-12-18 15:51:55 UTC (rev 160766)
@@ -0,0 +1 @@
+PASS

Added: trunk/LayoutTests/fast/css/negative-orphans-crash.html (0 => 160766)

--- trunk/LayoutTests/fast/css/negative-orphans-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/css/negative-orphans-crash.html	2013-12-18 15:51:55 UTC (rev 160766)
@@ -0,0 +1,27 @@
+<html>
+<head>
+<style>
+html {
+    orphans:-988;
+    widows: 435;
+    -webkit-columns:1in auto ;
+    width: 0;
+}
+</style>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+function onLoad()
+{
+    document.body.offsetLeft;
+    document.body.innerHTML = 'PASS';
+}
+</script>
+</head>
+<body _onload_="onLoad()">
+<!-- This test is for https://bugs.webkit.org/show_bug.cgi?id=125924. Need some long text for reproducing crash.-->
+<!-- Copied the following from W3C spec.-->
+The 'orphans' property specifies the minimum number of lines in a block container that must be left at the bottom of a page. The 'widows' property specifies the minimum number of lines in a block container that must be left at the top of a page. Examples of how they are used to control page breaks are given below.
+</body>
+</html>
\ No newline at end of file

Modified: trunk/Source/WebCore/ChangeLog (160765 => 160766)

--- trunk/Source/WebCore/ChangeLog	2013-12-18 15:05:49 UTC (rev 160765)
+++ trunk/Source/WebCore/ChangeLog	2013-12-18 15:51:55 UTC (rev 160766)
@@ -1,3 +1,22 @@
+2013-12-18  Dániel Bátyai  <dbatyai.u-sze...@partner.samsung.com>
+
+        CSS: Null-pointer dereference with negative 'orphans' value.
+        https://bugs.webkit.org/show_bug.cgi?id=125924
+
+        Reviewed by Andreas Kling.
+
+        orphans and widows should be positive integer.
+
+        spec link:
+        http://www.w3.org/TR/CSS2/page.html#propdef-orphans
+
+        Backported from Blink: https://codereview.chromium.org/108663009
+
+        Test: fast/css/negative-orphans-crash.html
+
+        * css/CSSParser.cpp:
+        (WebCore::CSSParser::parseValue):
+
 2013-12-18  Andreas Kling  <akl...@apple.com>
 
         Make more computed style helpers return values by PassRef.

Modified: trunk/Source/WebCore/css/CSSParser.cpp (160765 => 160766)

--- trunk/Source/WebCore/css/CSSParser.cpp	2013-12-18 15:05:49 UTC (rev 160765)
+++ trunk/Source/WebCore/css/CSSParser.cpp	2013-12-18 15:51:55 UTC (rev 160766)
@@ -2217,17 +2217,18 @@
         break;
 
     case CSSPropertyZIndex:              // auto | <integer> | inherit
-        if (id == CSSValueAuto) {
+        if (id == CSSValueAuto)
             validPrimitive = true;
-            break;
-        }
-        /* nobreak */
+        else
+            validPrimitive = (!id && validUnit(value, FInteger, CSSQuirksMode));
+        break;
+
     case CSSPropertyOrphans: // <integer> | inherit | auto (We've added support for auto for backwards compatibility)
     case CSSPropertyWidows: // <integer> | inherit | auto (Ditto)
         if (id == CSSValueAuto)
             validPrimitive = true;
         else
-            validPrimitive = (!id && validUnit(value, FInteger, CSSQuirksMode));
+            validPrimitive = (!id && validUnit(value, FPositiveInteger, CSSQuirksMode));
         break;
 
     case CSSPropertyLineHeight:

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes