Changeset 141701 in webkit


Ignore:
Timestamp:
Feb 2, 2013 12:55:48 PM (11 years ago)
Author:
tasak@google.com
Message:

Making -webkit-image-set() the first value of background property causes crash.
https://bugs.webkit.org/show_bug.cgi?id=108409

Reviewed by Beth Dakin.

Source/WebCore:

CSSParser::addFillValue should use lval->isBaseValueList() instead
of lval->isValueList(). If lval is -webkit-image-set, rval is appended
to -webkit-image-set.

Test: fast/css/image-set-value-crash-in-fillImageSet.html

  • css/CSSParser.cpp:

(WebCore::CSSParser::addFillValue):
If lval is not a value list, lval is initialized by using
CSSValueList::createCommaSeparated(). So we have to check whether
lval is created by CSSValueList::createCommaSeparated() or not.

LayoutTests:

  • fast/css/image-set-value-crash-in-fillImageSet-expected.txt: Added.
  • fast/css/image-set-value-crash-in-fillImageSet.html: Added.
Location:
trunk
Files:
2 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r141689 r141701  
     12013-02-02  Takashi Sakamoto  <tasak@google.com>
     2
     3        Making -webkit-image-set() the first value of background property causes crash.
     4        https://bugs.webkit.org/show_bug.cgi?id=108409
     5
     6        Reviewed by Beth Dakin.
     7
     8        * fast/css/image-set-value-crash-in-fillImageSet-expected.txt: Added.
     9        * fast/css/image-set-value-crash-in-fillImageSet.html: Added.
     10
    1112013-02-02  Andrey Lushnikov  <lushnikov@chromium.org>
    212
  • trunk/Source/WebCore/ChangeLog

    r141699 r141701  
     12013-02-02  Takashi Sakamoto  <tasak@google.com>
     2
     3        Making -webkit-image-set() the first value of background property causes crash.
     4        https://bugs.webkit.org/show_bug.cgi?id=108409
     5
     6        Reviewed by Beth Dakin.
     7
     8        CSSParser::addFillValue should use lval->isBaseValueList() instead
     9        of lval->isValueList(). If lval is -webkit-image-set, rval is appended
     10        to -webkit-image-set.
     11
     12        Test: fast/css/image-set-value-crash-in-fillImageSet.html
     13
     14        * css/CSSParser.cpp:
     15        (WebCore::CSSParser::addFillValue):
     16        If lval is not a value list, lval is initialized by using
     17        CSSValueList::createCommaSeparated(). So we have to check whether
     18        lval is created by CSSValueList::createCommaSeparated() or not.
     19
    1202013-02-02  David Kilzer  <ddkilzer@apple.com>
    221
  • trunk/Source/WebCore/css/CSSParser.cpp

    r141480 r141701  
    29712971{
    29722972    if (lval) {
    2973         if (lval->isValueList())
     2973        if (lval->isBaseValueList())
    29742974            static_cast<CSSValueList*>(lval.get())->append(rval);
    29752975        else {
Note: See TracChangeset for help on using the changeset viewer.