Changeset 166726 in webkit

Timestamp:

Apr 3, 2014 9:48:23 AM (10 years ago)

Author:

Bem Jones-Bey

Message:

[CSS Shapes] CRASH with calc() value args in inset round
​https://bugs.webkit.org/show_bug.cgi?id=129816

Reviewed by Andreas Kling.

Source/WebCore:

The code to parse the inset rounded corners was adding the parser
value arguments to a temporary CSSParserValueList. Unfortunately,
CSSParserValueList expects to own the values it contains, and it frees
the values it contains when the list is destroyed. This was a problem
because the values are owned by the CSSParserValueList passed in to
parseInsetRoundedCorners, and thus the calc's argument list would get
double freed, resulting in a crash. This patch fixes this by using a
Vector to hold the pointers instead.

Test: fast/shapes/shape-outside-floats/shape-outside-inset-round-calc-crash.html

• css/CSSParser.cpp:

(WebCore::CSSParser::parseInsetRoundedCorners):

LayoutTests:

Simple test to make sure that using calc in the round argument of an
inset doesn't cause a crash.

• fast/shapes/shape-outside-floats/shape-outside-inset-round-calc-crash-expected.txt: Added.
• fast/shapes/shape-outside-floats/shape-outside-inset-round-calc-crash.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/shapes/shape-outside-floats/shape-outside-inset-round-calc-crash-expected.txt (added)
• LayoutTests/fast/shapes/shape-outside-floats/shape-outside-inset-round-calc-crash.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/css/CSSParser.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2014-04-03  Bem Jones-Bey  <bjonesbe@adobe.com>
+
+        [CSS Shapes] CRASH with calc() value args in inset round
+        https://bugs.webkit.org/show_bug.cgi?id=129816
+
+        Reviewed by Andreas Kling.
+
+        Simple test to make sure that using calc in the round argument of an
+        inset doesn't cause a crash.
+
+        * fast/shapes/shape-outside-floats/shape-outside-inset-round-calc-crash-expected.txt: Added.
+        * fast/shapes/shape-outside-floats/shape-outside-inset-round-calc-crash.html: Added.
+
 2014-04-03  Javier Fernandez  <jfernandez@igalia.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2014-04-03  Bem Jones-Bey  <bjonesbe@adobe.com>
+
+        [CSS Shapes] CRASH with calc() value args in inset round
+        https://bugs.webkit.org/show_bug.cgi?id=129816
+
+        Reviewed by Andreas Kling.
+
+        The code to parse the inset rounded corners was adding the parser
+        value arguments to a temporary CSSParserValueList. Unfortunately,
+        CSSParserValueList expects to own the values it contains, and it frees
+        the values it contains when the list is destroyed. This was a problem
+        because the values are owned by the CSSParserValueList passed in to
+        parseInsetRoundedCorners, and thus the calc's argument list would get
+        double freed, resulting in a crash. This patch fixes this by using a
+        Vector to hold the pointers instead.
+
+        Test: fast/shapes/shape-outside-floats/shape-outside-inset-round-calc-crash.html
+
+        * css/CSSParser.cpp:
+        (WebCore::CSSParser::parseInsetRoundedCorners):
+
 2014-04-03  Jer Noble  <jer.noble@apple.com>
 

trunk/Source/WebCore/css/CSSParser.cpp

@@ -5348 +5348 @@
         return nullptr;
 
-    std::unique_ptr<CSSParserValueList> radiusArguments(new CSSParserValueList);
+    Vector<CSSParserValue*> radiusArguments;
     while (argument) {
-        radiusArguments->addValue(*argument);
+        radiusArguments.append(argument);
         argument = args->next();
     }
 
-    unsigned num = radiusArguments->size();
+    unsigned num = radiusArguments.size();
     if (!num || num > 9)
         return nullptr;
@@ -5362 +5362 @@
     unsigned indexAfterSlash = 0;
     for (unsigned i = 0; i < num; ++i) {
-        CSSParserValue* value = radiusArguments->valueAt(i);
+        CSSParserValue* value = radiusArguments.at(i);
         if (value->unit == CSSParserValue::Operator) {
             if (value->iValue != '/')