Title: [172036] trunk
- Revision
- 172036
- Author
- [email protected]
- Date
- 2014-08-05 11:14:31 -0700 (Tue, 05 Aug 2014)
Log Message
ASSERTION FAILED: name[0] == '@' && length >= 2 in WebCore::CSSParser::detectAtToken
https://bugs.webkit.org/show_bug.cgi?id=134632
Source/WebCore:
At-rules must consist of at least two characters: the '@' symbol followed by
an identifier name. The failure of this condition makes the assertion fail.
The length of an at-rule is currently calculated by pointer arithmetic on
the 'result' pointer, which is expected to be set to the end of the at-rule
identifier by the WebCore::*CSSTokenizer::parseIdentifier method.
If the at-rule token is a sequence of 8-bit-only characters then
'result' will point correctly at the end of the identifier. However, if
the at-rule contains a 16-bit Unicode escape then 'result' will not be
updated correctly anymore, hence it cannot be used for length calculation.
The patch makes the parseIdentifier bump the result pointer even in the 16-bit slow case.
Patch by Renata Hodovan, backported from Chromium: https://codereview.chromium.org/241053002
Patch by Martin Hodovan <[email protected]> on 2014-08-05
Reviewed by Darin Adler.
Test: fast/css/atrule-with-escape-character-crash.html
* css/CSSParser.cpp:
(WebCore::CSSParser::realLex):
LayoutTests:
Added test demonstrates that at-rules containing 16-bit Unicode characters
can be handled properly.
Patch by Martin Hodovan <[email protected]> on 2014-08-05
Reviewed by Darin Adler.
* fast/css/atrule-with-escape-character-crash-expected.txt: Added.
* fast/css/atrule-with-escape-character-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (172035 => 172036)
--- trunk/LayoutTests/ChangeLog 2014-08-05 17:49:44 UTC (rev 172035)
+++ trunk/LayoutTests/ChangeLog 2014-08-05 18:14:31 UTC (rev 172036)
@@ -1,3 +1,16 @@
+2014-08-05 Martin Hodovan <[email protected]>
+
+ ASSERTION FAILED: name[0] == '@' && length >= 2 in WebCore::CSSParser::detectAtToken
+ https://bugs.webkit.org/show_bug.cgi?id=134632
+
+ Added test demonstrates that at-rules containing 16-bit Unicode characters
+ can be handled properly.
+
+ Reviewed by Darin Adler.
+
+ * fast/css/atrule-with-escape-character-crash-expected.txt: Added.
+ * fast/css/atrule-with-escape-character-crash.html: Added.
+
2014-08-05 Renata Hodovan <[email protected]>
Fixing calc() parameter parsing in cubic-bezier functions
Added: trunk/LayoutTests/fast/css/atrule-with-escape-character-crash-expected.txt (0 => 172036)
--- trunk/LayoutTests/fast/css/atrule-with-escape-character-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/css/atrule-with-escape-character-crash-expected.txt 2014-08-05 18:14:31 UTC (rev 172036)
@@ -0,0 +1 @@
+Test for crash when the identifier of an at-rule contains unicode escapes. The test passes if it does not cause an assertion failure. [https://bugs.webkit.org/show_bug.cgi?id=134632]
Added: trunk/LayoutTests/fast/css/atrule-with-escape-character-crash.html (0 => 172036)
--- trunk/LayoutTests/fast/css/atrule-with-escape-character-crash.html (rev 0)
+++ trunk/LayoutTests/fast/css/atrule-with-escape-character-crash.html 2014-08-05 18:14:31 UTC (rev 172036)
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ </script>
+
+ <style>
+ * {
+ @\aaa
+ }
+ </style>
+</head>
+<body>
+ <p>
+ Test for crash when the identifier of an at-rule contains unicode escapes.
+ The test passes if it does not cause an assertion failure.
+ [https://bugs.webkit.org/show_bug.cgi?id=134632]
+ </p>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (172035 => 172036)
--- trunk/Source/WebCore/ChangeLog 2014-08-05 17:49:44 UTC (rev 172035)
+++ trunk/Source/WebCore/ChangeLog 2014-08-05 18:14:31 UTC (rev 172036)
@@ -1,3 +1,29 @@
+2014-08-05 Martin Hodovan <[email protected]>
+
+ ASSERTION FAILED: name[0] == '@' && length >= 2 in WebCore::CSSParser::detectAtToken
+ https://bugs.webkit.org/show_bug.cgi?id=134632
+
+ At-rules must consist of at least two characters: the '@' symbol followed by
+ an identifier name. The failure of this condition makes the assertion fail.
+
+ The length of an at-rule is currently calculated by pointer arithmetic on
+ the 'result' pointer, which is expected to be set to the end of the at-rule
+ identifier by the WebCore::*CSSTokenizer::parseIdentifier method.
+ If the at-rule token is a sequence of 8-bit-only characters then
+ 'result' will point correctly at the end of the identifier. However, if
+ the at-rule contains a 16-bit Unicode escape then 'result' will not be
+ updated correctly anymore, hence it cannot be used for length calculation.
+ The patch makes the parseIdentifier bump the result pointer even in the 16-bit slow case.
+
+ Patch by Renata Hodovan, backported from Chromium: https://codereview.chromium.org/241053002
+
+ Reviewed by Darin Adler.
+
+ Test: fast/css/atrule-with-escape-character-crash.html
+
+ * css/CSSParser.cpp:
+ (WebCore::CSSParser::realLex):
+
2014-08-04 Andy Estes <[email protected]>
[iOS] The raw bytes of an iWork document's PDF preview are displayed rather than the PDF itself
Modified: trunk/Source/WebCore/css/CSSParser.cpp (172035 => 172036)
--- trunk/Source/WebCore/css/CSSParser.cpp 2014-08-05 17:49:44 UTC (rev 172035)
+++ trunk/Source/WebCore/css/CSSParser.cpp 2014-08-05 18:14:31 UTC (rev 172036)
@@ -10298,6 +10298,7 @@
parseIdentifierInternal(currentCharacter<CharacterType>(), result16, hasEscape);
+ result += result16 - start16;
resultString.init(start16, result16 - start16);
return;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
