Changeset 126681 in webkit

Timestamp:

Aug 25, 2012, 2:23:44 AM (13 years ago)

Author:

Michelangelo De Simone

Message:

[Crash] Null pointer in CSSParser::parseMixFunction()
​https://bugs.webkit.org/show_bug.cgi?id=94998

Reviewed by Benjamin Poulain.

Source/WebCore:

parseMixFunction() may try to access invalid memory when the arguments of the
mix() function are comma-terminated.

• css/CSSParser.cpp:

(WebCore::CSSParser::parseMixFunction):

LayoutTests:

New test cases added to check invalid comma-terminated values within mix().

• css3/filters/custom/custom-filter-property-parsing-invalid-expected.txt:
• css3/filters/script-tests/custom-filter-property-parsing-invalid.js:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/css3/filters/custom/custom-filter-property-parsing-invalid-expected.txt (modified) (1 diff)
• LayoutTests/css3/filters/script-tests/custom-filter-property-parsing-invalid.js (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/css/CSSParser.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-08-25  Michelangelo De Simone  <michelangelo@webkit.org>
+
+        [Crash] Null pointer in CSSParser::parseMixFunction()
+        https://bugs.webkit.org/show_bug.cgi?id=94998
+
+        Reviewed by Benjamin Poulain.
+
+        New test cases added to check invalid comma-terminated values within mix().
+
+        * css3/filters/custom/custom-filter-property-parsing-invalid-expected.txt:
+        * css3/filters/script-tests/custom-filter-property-parsing-invalid.js:
+
 2012-08-24  Zan Dobersek  <zandobersek@gmail.com>
 

trunk/LayoutTests/css3/filters/custom/custom-filter-property-parsing-invalid-expected.txt

@@ -100 +100 @@
 PASS declaration.getPropertyValue('-webkit-filter') is null
 
+Mix function with comma terminator : custom(none mix(url(shader), multiply clear,))
+PASS cssRule.type is 1
+PASS declaration.length is 0
+PASS declaration.getPropertyValue('-webkit-filter') is null
+
+Mix function with one comma : custom(none mix(,))
+PASS cssRule.type is 1
+PASS declaration.length is 0
+PASS declaration.getPropertyValue('-webkit-filter') is null
+
 No shader : custom(none, 10 20)
 PASS cssRule.type is 1

trunk/LayoutTests/css3/filters/script-tests/custom-filter-property-parsing-invalid.js

@@ -48 +48 @@
 testInvalidFilterRule("Mix function with 4 args", "custom(none mix(url(shader) multiply clear normal))");
 testInvalidFilterRule("Mix function with comma separators", "custom(none mix(url(shader), multiply, clear))");
+testInvalidFilterRule("Mix function with comma terminator", "custom(none mix(url(shader), multiply clear,))");
+testInvalidFilterRule("Mix function with one comma", "custom(none mix(,))");
 
 testInvalidFilterRule("No shader", "custom(none, 10 20)");

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-08-25  Michelangelo De Simone  <michelangelo@webkit.org>
+
+        [Crash] Null pointer in CSSParser::parseMixFunction()
+        https://bugs.webkit.org/show_bug.cgi?id=94998
+
+        Reviewed by Benjamin Poulain.
+
+        parseMixFunction() may try to access invalid memory when the arguments of the
+        mix() function are comma-terminated.
+
+        * css/CSSParser.cpp:
+        (WebCore::CSSParser::parseMixFunction):
+
 2012-08-24  Helder Correia  <helder.correia@nokia.com>
 

trunk/Source/WebCore/css/CSSParser.cpp

@@ -7446 +7446 @@
 
     CSSParserValueList* argsList = value->function->args.get();
+    if (!argsList)
+        return 0;
+
     unsigned numArgs = argsList->size();
     if (numArgs < 1 || numArgs > 3)