Title: [166726] trunk
- Revision
- 166726
- Author
- bjone...@adobe.com
- Date
- 2014-04-03 09:48:23 -0700 (Thu, 03 Apr 2014)
Log Message
[CSS Shapes] CRASH with calc() value args in inset round
https://bugs.webkit.org/show_bug.cgi?id=129816
Reviewed by Andreas Kling.
Source/WebCore:
The code to parse the inset rounded corners was adding the parser
value arguments to a temporary CSSParserValueList. Unfortunately,
CSSParserValueList expects to own the values it contains, and it frees
the values it contains when the list is destroyed. This was a problem
because the values are owned by the CSSParserValueList passed in to
parseInsetRoundedCorners, and thus the calc's argument list would get
double freed, resulting in a crash. This patch fixes this by using a
Vector to hold the pointers instead.
Test: fast/shapes/shape-outside-floats/shape-outside-inset-round-calc-crash.html
* css/CSSParser.cpp:
(WebCore::CSSParser::parseInsetRoundedCorners):
LayoutTests:
Simple test to make sure that using calc in the round argument of an
inset doesn't cause a crash.
* fast/shapes/shape-outside-floats/shape-outside-inset-round-calc-crash-expected.txt: Added.
* fast/shapes/shape-outside-floats/shape-outside-inset-round-calc-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (166725 => 166726)
--- trunk/LayoutTests/ChangeLog 2014-04-03 16:47:48 UTC (rev 166725)
+++ trunk/LayoutTests/ChangeLog 2014-04-03 16:48:23 UTC (rev 166726)
@@ -1,3 +1,16 @@
+2014-04-03 Bem Jones-Bey <bjone...@adobe.com>
+
+ [CSS Shapes] CRASH with calc() value args in inset round
+ https://bugs.webkit.org/show_bug.cgi?id=129816
+
+ Reviewed by Andreas Kling.
+
+ Simple test to make sure that using calc in the round argument of an
+ inset doesn't cause a crash.
+
+ * fast/shapes/shape-outside-floats/shape-outside-inset-round-calc-crash-expected.txt: Added.
+ * fast/shapes/shape-outside-floats/shape-outside-inset-round-calc-crash.html: Added.
+
2014-04-03 Javier Fernandez <jfernan...@igalia.com>
[CSS Grid Layout] Make sure grid element's shrink-to-fit behavior is correct
Added: trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-inset-round-calc-crash-expected.txt (0 => 166726)
--- trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-inset-round-calc-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-inset-round-calc-crash-expected.txt 2014-04-03 16:48:23 UTC (rev 166726)
@@ -0,0 +1,2 @@
+This test passes if it doesn't crash.
+
Added: trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-inset-round-calc-crash.html (0 => 166726)
--- trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-inset-round-calc-crash.html (rev 0)
+++ trunk/LayoutTests/fast/shapes/shape-outside-floats/shape-outside-inset-round-calc-crash.html 2014-04-03 16:48:23 UTC (rev 166726)
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+ <style>
+ div {
+ -webkit-shape-outside: inset(10px round calc(10in));
+ }
+ </style>
+ <body>
+ This test passes if it doesn't crash.
+ <div></div>
+ </body>
+ <script>
+ if (window.testRunner)
+ testRunner.dumpAsText()
+ </script>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (166725 => 166726)
--- trunk/Source/WebCore/ChangeLog 2014-04-03 16:47:48 UTC (rev 166725)
+++ trunk/Source/WebCore/ChangeLog 2014-04-03 16:48:23 UTC (rev 166726)
@@ -1,3 +1,24 @@
+2014-04-03 Bem Jones-Bey <bjone...@adobe.com>
+
+ [CSS Shapes] CRASH with calc() value args in inset round
+ https://bugs.webkit.org/show_bug.cgi?id=129816
+
+ Reviewed by Andreas Kling.
+
+ The code to parse the inset rounded corners was adding the parser
+ value arguments to a temporary CSSParserValueList. Unfortunately,
+ CSSParserValueList expects to own the values it contains, and it frees
+ the values it contains when the list is destroyed. This was a problem
+ because the values are owned by the CSSParserValueList passed in to
+ parseInsetRoundedCorners, and thus the calc's argument list would get
+ double freed, resulting in a crash. This patch fixes this by using a
+ Vector to hold the pointers instead.
+
+ Test: fast/shapes/shape-outside-floats/shape-outside-inset-round-calc-crash.html
+
+ * css/CSSParser.cpp:
+ (WebCore::CSSParser::parseInsetRoundedCorners):
+
2014-04-03 Jer Noble <jer.no...@apple.com>
Leaving a streaming movie by going "Back" keeps playing the audio
Modified: trunk/Source/WebCore/css/CSSParser.cpp (166725 => 166726)
--- trunk/Source/WebCore/css/CSSParser.cpp 2014-04-03 16:47:48 UTC (rev 166725)
+++ trunk/Source/WebCore/css/CSSParser.cpp 2014-04-03 16:48:23 UTC (rev 166726)
@@ -5347,13 +5347,13 @@
if (!argument)
return nullptr;
- std::unique_ptr<CSSParserValueList> radiusArguments(new CSSParserValueList);
+ Vector<CSSParserValue*> radiusArguments;
while (argument) {
- radiusArguments->addValue(*argument);
+ radiusArguments.append(argument);
argument = args->next();
}
- unsigned num = radiusArguments->size();
+ unsigned num = radiusArguments.size();
if (!num || num > 9)
return nullptr;
@@ -5361,7 +5361,7 @@
unsigned indexAfterSlash = 0;
for (unsigned i = 0; i < num; ++i) {
- CSSParserValue* value = radiusArguments->valueAt(i);
+ CSSParserValue* value = radiusArguments.at(i);
if (value->unit == CSSParserValue::Operator) {
if (value->iValue != '/')
return nullptr;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
