Changeset 124723 in webkit

Timestamp:

Aug 5, 2012 6:22:40 PM (12 years ago)

Author:

macpherson@chromium.org

Message:

Fix null pointer dereference when CSSParser::sinkFloatingValueList() returns null and is passed to storeVariableDeclaration().
​https://bugs.webkit.org/show_bug.cgi?id=92461

Reviewed by Eric Seidel.

Source/WebCore:

Invalid variable lists could cause CSSGrammar.y to pass null as value to storeVariableDeclaration, so we now check for null.

Test: fast/css/variables/invalid-value-list-crash.html

• css/CSSParser.cpp:

(WebCore::CSSParser::storeVariableDeclaration):

LayoutTests:

Test case that causes CSSParser::storeVariableDeclaration to be passed a null value.

• fast/css/variables/invalid-value-list-crash-expected.txt: Added.
• fast/css/variables/invalid-value-list-crash.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/css/variables/invalid-value-list-crash-expected.txt (added)
• LayoutTests/fast/css/variables/invalid-value-list-crash.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/css/CSSParser.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-08-05  Luke Macpherson   <macpherson@chromium.org>
+
+        Fix null pointer dereference when CSSParser::sinkFloatingValueList() returns null and is passed to storeVariableDeclaration().
+        https://bugs.webkit.org/show_bug.cgi?id=92461
+
+        Reviewed by Eric Seidel.
+
+        Test case that causes CSSParser::storeVariableDeclaration to be passed a null value.
+
+        * fast/css/variables/invalid-value-list-crash-expected.txt: Added.
+        * fast/css/variables/invalid-value-list-crash.html: Added.
+
 2012-08-05  Kent Tamura  <tkent@chromium.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-08-05  Luke Macpherson   <macpherson@chromium.org>
+
+        Fix null pointer dereference when CSSParser::sinkFloatingValueList() returns null and is passed to storeVariableDeclaration().
+        https://bugs.webkit.org/show_bug.cgi?id=92461
+
+        Reviewed by Eric Seidel.
+
+        Invalid variable lists could cause CSSGrammar.y to pass null as value to storeVariableDeclaration, so we now check for null.
+
+        Test: fast/css/variables/invalid-value-list-crash.html
+
+        * css/CSSParser.cpp:
+        (WebCore::CSSParser::storeVariableDeclaration):
+
 2012-08-03  Kent Tamura  <tkent@chromium.org>
 

trunk/Source/WebCore/css/CSSParser.cpp

@@ -3026 +3026 @@
 void CSSParser::storeVariableDeclaration(const CSSParserString& name, PassOwnPtr<CSSParserValueList> value, bool important)
 {
+    // When CSSGrammar.y encounters an invalid declaration it passes null for the CSSParserValueList, just bail.
+    if (!value)
+        return;
+    
     ASSERT(name.length > 12);
     AtomicString variableName = String(name.characters + 12, name.length - 12);