Title: [123714] trunk
- Revision
- 123714
- Author
- macpher...@chromium.org
- Date
- 2012-07-26 01:32:35 -0700 (Thu, 26 Jul 2012)
Log Message
Fix null ptr deref in CSSParser::storeVariableDeclaration().
https://bugs.webkit.org/show_bug.cgi?id=92333
Reviewed by Andreas Kling.
Fix null pointer deref that occurs if the CSSParserValue couldn't be converted to a CSSValue.
Test fast/css/variables/variable-unparseable-value-crash.html added.
* css/CSSParser.cpp:
(WebCore::CSSParser::storeVariableDeclaration):
Modified Paths
Added Paths
Diff
Added: trunk/LayoutTests/fast/css/variables/variable-unparseable-value-crash-expected.txt (0 => 123714)
--- trunk/LayoutTests/fast/css/variables/variable-unparseable-value-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/css/variables/variable-unparseable-value-crash-expected.txt 2012-07-26 08:32:35 UTC (rev 123714)
@@ -0,0 +1 @@
+This test is successful if it does not crash.
Added: trunk/LayoutTests/fast/css/variables/variable-unparseable-value-crash.html (0 => 123714)
--- trunk/LayoutTests/fast/css/variables/variable-unparseable-value-crash.html (rev 0)
+++ trunk/LayoutTests/fast/css/variables/variable-unparseable-value-crash.html 2012-07-26 08:32:35 UTC (rev 123714)
@@ -0,0 +1,11 @@
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+internals.settings.setCSSVariablesEnabled(true);
+</script>
+<style>
+div {
+ -webkit-var-b: 1pxpx;
+}
+</style>
+This test is successful if it does not crash.
Modified: trunk/Source/WebCore/ChangeLog (123713 => 123714)
--- trunk/Source/WebCore/ChangeLog 2012-07-26 08:11:37 UTC (rev 123713)
+++ trunk/Source/WebCore/ChangeLog 2012-07-26 08:32:35 UTC (rev 123714)
@@ -1,3 +1,17 @@
+2012-07-26 Luke Macpherson <macpher...@chromium.org>
+
+ Fix null ptr deref in CSSParser::storeVariableDeclaration().
+ https://bugs.webkit.org/show_bug.cgi?id=92333
+
+ Reviewed by Andreas Kling.
+
+ Fix null pointer deref that occurs if the CSSParserValue couldn't be converted to a CSSValue.
+
+ Test fast/css/variables/variable-unparseable-value-crash.html added.
+
+ * css/CSSParser.cpp:
+ (WebCore::CSSParser::storeVariableDeclaration):
+
2012-07-26 Shinya Kawanaka <shin...@chromium.org>
Add UserAgentShadowDOM to FormControlElement just before adding AuthorShadowDOM
Modified: trunk/Source/WebCore/css/CSSParser.cpp (123713 => 123714)
--- trunk/Source/WebCore/css/CSSParser.cpp 2012-07-26 08:11:37 UTC (rev 123713)
+++ trunk/Source/WebCore/css/CSSParser.cpp 2012-07-26 08:32:35 UTC (rev 123714)
@@ -3022,7 +3022,10 @@
for (unsigned i = 0, size = value->size(); i < size; i++) {
if (i)
builder.append(' ');
- builder.append(value->valueAt(i)->createCSSValue()->cssText());
+ RefPtr<CSSValue> cssValue = value->valueAt(i)->createCSSValue();
+ if (!cssValue)
+ return;
+ builder.append(cssValue->cssText());
}
addProperty(CSSPropertyVariable, CSSVariableValue::create(variableName, builder.toString()), important, false);
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes
