Changeset 55914 in webkit


Ignore:
Timestamp:
Mar 12, 2010 10:28:56 AM (14 years ago)
Author:
mitz@apple.com
Message:

<rdar://problem/7725534> CSSPrimitiveValue::parserValue() returns deleted memory
https://bugs.webkit.org/show_bug.cgi?id=20069

Reviewed by Darin Adler.

No test added, since with the CSS variables feature disabled, the pointer
to the freed memory is never dereferenced.

  • css/CSSPrimitiveValue.cpp:

(WebCore::valueOrPropertyName): Changed to return a const AtomicString& from
a static table.
(WebCore::CSSPrimitiveValue::parserValue): Updated for the above change.

Location:
trunk/WebCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/WebCore/ChangeLog

    r55911 r55914  
     12010-03-12  Dan Bernstein  <mitz@apple.com>
     2
     3        Reviewed by Darin Adler.
     4
     5        <rdar://problem/7725534> CSSPrimitiveValue::parserValue() returns deleted memory
     6        https://bugs.webkit.org/show_bug.cgi?id=20069
     7
     8        No test added, since with the CSS variables feature disabled, the pointer
     9        to the freed memory is never dereferenced.
     10
     11        * css/CSSPrimitiveValue.cpp:
     12        (WebCore::valueOrPropertyName): Changed to return a const AtomicString& from
     13        a static table.
     14        (WebCore::CSSPrimitiveValue::parserValue): Updated for the above change.
     15
    1162010-03-12  Dan Bernstein  <mitz@apple.com>
    217

  • trunk/WebCore/css/CSSPrimitiveValue.cpp

    r52071 r55914  
    117117}
    118118
    119 static const char* valueOrPropertyName(int valueOrPropertyID)
    120 {
    121     if (const char* valueName = getValueName(valueOrPropertyID))
    122         return valueName;
    123     return getPropertyName(static_cast<CSSPropertyID>(valueOrPropertyID));
     119static const AtomicString& valueOrPropertyName(int valueOrPropertyID)
     120{
     121    ASSERT_ARG(valueOrPropertyID, valueOrPropertyID >= 0);
     122    ASSERT_ARG(valueOrPropertyID, valueOrPropertyID < numCSSValueKeywords || (valueOrPropertyID >= firstCSSProperty && valueOrPropertyID < firstCSSProperty + numCSSProperties));
     123
     124    if (valueOrPropertyID < 0)
     125        return nullAtom;
     126
     127    if (valueOrPropertyID < numCSSValueKeywords) {
     128        static AtomicString* cssValueKeywordStrings[numCSSValueKeywords];
     129        if (!cssValueKeywordStrings[valueOrPropertyID])
     130            cssValueKeywordStrings[valueOrPropertyID] = new AtomicString(getValueName(valueOrPropertyID));
     131        return *cssValueKeywordStrings[valueOrPropertyID];
     132    }
     133
     134    if (valueOrPropertyID >= firstCSSProperty && valueOrPropertyID < firstCSSProperty + numCSSProperties) {
     135        static AtomicString* cssPropertyStrings[numCSSProperties];
     136        int propertyIndex = valueOrPropertyID - firstCSSProperty;
     137        if (!cssPropertyStrings[propertyIndex])
     138            cssPropertyStrings[propertyIndex] = new AtomicString(getPropertyName(static_cast<CSSPropertyID>(valueOrPropertyID)));
     139        return *cssPropertyStrings[propertyIndex];
     140    }
     141
     142    return nullAtom;
    124143}
    125144
     
    931950        case CSS_IDENT: {
    932951            value.id = m_value.ident;
    933             String name = valueOrPropertyName(m_value.ident);
     952            const AtomicString& name = valueOrPropertyName(m_value.ident);
    934953            value.string.characters = const_cast<UChar*>(name.characters());
    935954            value.string.length = name.length();
Note: See TracChangeset for help on using the changeset viewer.