Changeset 196738 in webkit


Ignore:
Timestamp:
Feb 17, 2016 6:13:37 PM (8 years ago)
Author:
dino@apple.com
Message:

WebKitCSSMatrix transformList with calculated relative length crashes Safari.
https://bugs.webkit.org/show_bug.cgi?id=153333
<rdar://problem/17198383>

Reviewed by Simon Fraser.

Source/WebCore:

WebKitCSSMatrix objects should fail to construct when not
using absolute lengths.

Updated existing tests:

  • transforms/cssmatrix-2d-interface.xhtml
  • transforms/cssmatrix-3d-interface.xhtml
  • css/StyleBuilderConverter.h:

(WebCore::StyleBuilderConverter::convertTransform): Tell transformsForValue
that we don't require absolute lengths.

  • css/TransformFunctions.cpp:

(WebCore::convertToFloatLength): Add an optional parameter that will
cause the conversion to fail if the primitive value has a non-absolute
length.
(WebCore::transformsForValue): Pass the parameter for requiring an
absolute length on to convertToFloatLength when necessary.

  • css/TransformFunctions.h:
  • css/WebKitCSSMatrix.cpp:

(WebCore::WebKitCSSMatrix::setMatrixValue): In this case we do
require all transform strings to have absolute lengths, not ones
that depend on the font size or are calculated.

LayoutTests:

Update existing tests to exercise the non-absolute lengths for translation
and perspective functions.

  • transforms/cssmatrix-2d-interface-expected.txt:
  • transforms/cssmatrix-2d-interface.xhtml:
  • transforms/cssmatrix-3d-interface-expected.txt:
  • transforms/cssmatrix-3d-interface.xhtml:
Location:
trunk
Files:
10 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r196734 r196738  
     12016-02-17  Dean Jackson  <dino@apple.com>
     2
     3        WebKitCSSMatrix transformList with calculated relative length crashes Safari.
     4        https://bugs.webkit.org/show_bug.cgi?id=153333
     5        <rdar://problem/17198383>
     6
     7        Reviewed by Simon Fraser.
     8
     9        Update existing tests to exercise the non-absolute lengths for translation
     10        and perspective functions.
     11
     12        * transforms/cssmatrix-2d-interface-expected.txt:
     13        * transforms/cssmatrix-2d-interface.xhtml:
     14        * transforms/cssmatrix-3d-interface-expected.txt:
     15        * transforms/cssmatrix-3d-interface.xhtml:
     16
    1172016-02-17  Keith Miller  <keith_miller@apple.com>
    218
  • trunk/LayoutTests/transforms/cssmatrix-2d-interface-expected.txt

    r134859 r196738  
    2323PASS a3[1] is ""
    2424
    25 Test bad input to string constructor
     25Test bad input to constructor
    2626PASS new WebKitCSSMatrix("banana") threw exception Error: SyntaxError: DOM Exception 12.
     27PASS new WebKitCSSMatrix("translate(1em)") threw exception Error: SyntaxError: DOM Exception 12.
     28PASS new WebKitCSSMatrix("translate(10px, 1em)") threw exception Error: SyntaxError: DOM Exception 12.
     29PASS new WebKitCSSMatrix("translate(10px, calc(10px))") threw exception Error: SyntaxError: DOM Exception 12.
     30PASS new WebKitCSSMatrix("translate(1ex)") threw exception Error: SyntaxError: DOM Exception 12.
     31PASS new WebKitCSSMatrix("translate(1%)") threw exception Error: SyntaxError: DOM Exception 12.
     32PASS new WebKitCSSMatrix("translatex(1em)") threw exception Error: SyntaxError: DOM Exception 12.
     33PASS new WebKitCSSMatrix("translatex(calc(10px))") threw exception Error: SyntaxError: DOM Exception 12.
     34PASS new WebKitCSSMatrix("translatey(1em)") threw exception Error: SyntaxError: DOM Exception 12.
     35PASS new WebKitCSSMatrix("translatey(calc(10px))") threw exception Error: SyntaxError: DOM Exception 12.
    2736
    2837Test attributes on default matrix
  • trunk/LayoutTests/transforms/cssmatrix-2d-interface.xhtml

    r155285 r196738  
    4141
    4242debug("");
    43 debug("Test bad input to string constructor");
     43debug("Test bad input to constructor");
    4444shouldThrow('new WebKitCSSMatrix("banana")');
     45shouldThrow('new WebKitCSSMatrix("translate(1em)")');
     46shouldThrow('new WebKitCSSMatrix("translate(10px, 1em)")');
     47shouldThrow('new WebKitCSSMatrix("translate(10px, calc(10px))")');
     48shouldThrow('new WebKitCSSMatrix("translate(1ex)")');
     49shouldThrow('new WebKitCSSMatrix("translate(1%)")');
     50shouldThrow('new WebKitCSSMatrix("translatex(1em)")');
     51shouldThrow('new WebKitCSSMatrix("translatex(calc(10px))")');
     52shouldThrow('new WebKitCSSMatrix("translatey(1em)")');
     53shouldThrow('new WebKitCSSMatrix("translatey(calc(10px))")');
    4554
    4655debug("");
  • trunk/LayoutTests/transforms/cssmatrix-3d-interface-expected.txt

    r134859 r196738  
    2929PASS a3[1] is ""
    3030
    31 Test bad input to string constructor
     31Test bad input to constructor
    3232PASS new WebKitCSSMatrix("banana") threw exception Error: SyntaxError: DOM Exception 12.
     33PASS new WebKitCSSMatrix("translate3d(1em, 0, 0)") threw exception Error: SyntaxError: DOM Exception 12.
     34PASS new WebKitCSSMatrix("translate3d(10px, 1em, 0)") threw exception Error: SyntaxError: DOM Exception 12.
     35PASS new WebKitCSSMatrix("translate3d(10px, 10px, calc(10px))") threw exception Error: SyntaxError: DOM Exception 12.
     36PASS new WebKitCSSMatrix("translate3d(calc(10px), 10px, 10px)") threw exception Error: SyntaxError: DOM Exception 12.
     37PASS new WebKitCSSMatrix("translate3d(10px, calc(10px), 10px)") threw exception Error: SyntaxError: DOM Exception 12.
     38PASS new WebKitCSSMatrix("translate3d(1ex, 0, 0)") threw exception Error: SyntaxError: DOM Exception 12.
     39PASS new WebKitCSSMatrix("translatez(1em)") threw exception Error: SyntaxError: DOM Exception 12.
     40PASS new WebKitCSSMatrix("translatez(calc(10px))") threw exception Error: SyntaxError: DOM Exception 12.
     41PASS new WebKitCSSMatrix("translate(1%, 0, 0)") threw exception Error: SyntaxError: DOM Exception 12.
     42PASS new WebKitCSSMatrix("perspective(1em)") threw exception Error: SyntaxError: DOM Exception 12.
     43PASS new WebKitCSSMatrix("perspective(calc(10px))") threw exception Error: SyntaxError: DOM Exception 12.
     44PASS new WebKitCSSMatrix("perspective(1ex)") threw exception Error: SyntaxError: DOM Exception 12.
     45PASS new WebKitCSSMatrix("perspective(1%)") threw exception Error: SyntaxError: DOM Exception 12.
    3346
    3447Test attributes on default matrix
  • trunk/LayoutTests/transforms/cssmatrix-3d-interface.xhtml

    r155285 r196738  
    6060
    6161debug("");
    62 debug("Test bad input to string constructor");
     62debug("Test bad input to constructor");
    6363shouldThrow('new WebKitCSSMatrix("banana")');
     64shouldThrow('new WebKitCSSMatrix("translate3d(1em, 0, 0)")');
     65shouldThrow('new WebKitCSSMatrix("translate3d(10px, 1em, 0)")');
     66shouldThrow('new WebKitCSSMatrix("translate3d(10px, 10px, calc(10px))")');
     67shouldThrow('new WebKitCSSMatrix("translate3d(calc(10px), 10px, 10px)")');
     68shouldThrow('new WebKitCSSMatrix("translate3d(10px, calc(10px), 10px)")');
     69shouldThrow('new WebKitCSSMatrix("translate3d(1ex, 0, 0)")');
     70shouldThrow('new WebKitCSSMatrix("translatez(1em)")');
     71shouldThrow('new WebKitCSSMatrix("translatez(calc(10px))")');
     72shouldThrow('new WebKitCSSMatrix("translate(1%, 0, 0)")');
     73shouldThrow('new WebKitCSSMatrix("perspective(1em)")');
     74shouldThrow('new WebKitCSSMatrix("perspective(calc(10px))")');
     75shouldThrow('new WebKitCSSMatrix("perspective(1ex)")');
     76shouldThrow('new WebKitCSSMatrix("perspective(1%)")');
    6477
    6578debug("");
  • trunk/Source/WebCore/ChangeLog

    r196737 r196738  
     12016-02-17  Dean Jackson  <dino@apple.com>
     2
     3        WebKitCSSMatrix transformList with calculated relative length crashes Safari.
     4        https://bugs.webkit.org/show_bug.cgi?id=153333
     5        <rdar://problem/17198383>
     6
     7        Reviewed by Simon Fraser.
     8
     9        WebKitCSSMatrix objects should fail to construct when not
     10        using absolute lengths.
     11
     12        Updated existing tests:
     13        - transforms/cssmatrix-2d-interface.xhtml
     14        - transforms/cssmatrix-3d-interface.xhtml
     15
     16        * css/StyleBuilderConverter.h:
     17        (WebCore::StyleBuilderConverter::convertTransform): Tell transformsForValue
     18        that we don't require absolute lengths.
     19        * css/TransformFunctions.cpp:
     20        (WebCore::convertToFloatLength): Add an optional parameter that will
     21        cause the conversion to fail if the primitive value has a non-absolute
     22        length.
     23        (WebCore::transformsForValue): Pass the parameter for requiring an
     24        absolute length on to convertToFloatLength when necessary.
     25        * css/TransformFunctions.h:
     26        * css/WebKitCSSMatrix.cpp:
     27        (WebCore::WebKitCSSMatrix::setMatrixValue): In this case we do
     28        require all transform strings to have absolute lengths, not ones
     29        that depend on the font size or are calculated.
     30
    1312016-02-17  Commit Queue  <commit-queue@webkit.org>
    232
  • trunk/Source/WebCore/css/StyleBuilderConverter.h

    r196691 r196738  
    356356{
    357357    TransformOperations operations;
    358     transformsForValue(value, styleResolver.state().cssToLengthConversionData(), operations);
     358    transformsForValue(value, styleResolver.state().cssToLengthConversionData(), TransformConversion::Auto, operations);
    359359    return operations;
    360360}
  • trunk/Source/WebCore/css/TransformFunctions.cpp

    r187659 r196738  
    7777}
    7878
    79 Length convertToFloatLength(const CSSPrimitiveValue* primitiveValue, const CSSToLengthConversionData& conversionData)
     79Length convertToFloatLength(const CSSPrimitiveValue* primitiveValue, const CSSToLengthConversionData& conversionData, TransformConversion transformConversion)
    8080{
    81     return primitiveValue ? primitiveValue->convertToLength<FixedFloatConversion | PercentConversion | CalculatedConversion>(conversionData) : Length(Undefined);
     81    if (transformConversion == TransformConversion::RequiresAbsoluteLength && !primitiveValue->isFontIndependentLength())
     82        return Length(Undefined);
     83    return primitiveValue ? primitiveValue->convertToLength<FixedFloatConversion | PercentConversion>(conversionData) : Length(Undefined);
    8284}
    8385
    84 bool transformsForValue(CSSValue& value, const CSSToLengthConversionData& conversionData, TransformOperations& outOperations)
     86bool transformsForValue(CSSValue& value, const CSSToLengthConversionData& conversionData, TransformConversion transformConversion, TransformOperations& outOperations)
    8587{
    8688    if (!is<CSSValueList>(value)) {
     
    163165            Length ty = Length(0, Fixed);
    164166            if (transformValue.operationType() == WebKitCSSTransformValue::TranslateYTransformOperation)
    165                 ty = convertToFloatLength(&firstValue, conversionData);
    166             else {
    167                 tx = convertToFloatLength(&firstValue, conversionData);
     167                ty = convertToFloatLength(&firstValue, conversionData, transformConversion);
     168            else {
     169                tx = convertToFloatLength(&firstValue, conversionData, transformConversion);
    168170                if (transformValue.operationType() != WebKitCSSTransformValue::TranslateXTransformOperation) {
    169171                    if (transformValue.length() > 1) {
    170172                        CSSPrimitiveValue& secondValue = downcast<CSSPrimitiveValue>(*transformValue.itemWithoutBoundsCheck(1));
    171                         ty = convertToFloatLength(&secondValue, conversionData);
     173                        ty = convertToFloatLength(&secondValue, conversionData, transformConversion);
    172174                    }
    173175                }
     
    186188            Length tz = Length(0, Fixed);
    187189            if (transformValue.operationType() == WebKitCSSTransformValue::TranslateZTransformOperation)
    188                 tz = convertToFloatLength(&firstValue, conversionData);
     190                tz = convertToFloatLength(&firstValue, conversionData, transformConversion);
    189191            else if (transformValue.operationType() == WebKitCSSTransformValue::TranslateYTransformOperation)
    190                 ty = convertToFloatLength(&firstValue, conversionData);
    191             else {
    192                 tx = convertToFloatLength(&firstValue, conversionData);
     192                ty = convertToFloatLength(&firstValue, conversionData, transformConversion);
     193            else {
     194                tx = convertToFloatLength(&firstValue, conversionData, transformConversion);
    193195                if (transformValue.operationType() != WebKitCSSTransformValue::TranslateXTransformOperation) {
    194196                    if (transformValue.length() > 2) {
    195197                        CSSPrimitiveValue& thirdValue = downcast<CSSPrimitiveValue>(*transformValue.itemWithoutBoundsCheck(2));
    196                         tz = convertToFloatLength(&thirdValue, conversionData);
    197                     }
    198                     if (transformValue.length() > 1) {
    199                         CSSPrimitiveValue& secondValue = downcast<CSSPrimitiveValue>(*transformValue.itemWithoutBoundsCheck(1));
    200                         ty = convertToFloatLength(&secondValue, conversionData);
     198                        tz = convertToFloatLength(&thirdValue, conversionData, transformConversion);
     199                    }
     200                    if (transformValue.length() > 1) {
     201                        CSSPrimitiveValue& secondValue = downcast<CSSPrimitiveValue>(*transformValue.itemWithoutBoundsCheck(1));
     202                        ty = convertToFloatLength(&secondValue, conversionData, transformConversion);
    201203                    }
    202204                }
     
    301303            Length p = Length(0, Fixed);
    302304            if (firstValue.isLength())
    303                 p = convertToFloatLength(&firstValue, conversionData);
     305                p = convertToFloatLength(&firstValue, conversionData, transformConversion);
    304306            else {
    305307                // This is a quirk that should go away when 3d transforms are finalized.
  • trunk/Source/WebCore/css/TransformFunctions.h

    r187659 r196738  
    4343struct Length;
    4444
    45 bool transformsForValue(CSSValue&, const CSSToLengthConversionData&, TransformOperations&);
    46 Length convertToFloatLength(const CSSPrimitiveValue*, const CSSToLengthConversionData&);
     45enum class TransformConversion {
     46    Auto,
     47    RequiresAbsoluteLength
     48};
     49
     50bool transformsForValue(CSSValue&, const CSSToLengthConversionData&, TransformConversion transformConversion, TransformOperations&);
     51Length convertToFloatLength(const CSSPrimitiveValue*, const CSSToLengthConversionData&, TransformConversion transformConversion = TransformConversion::Auto);
    4752
    4853}
  • trunk/Source/WebCore/css/WebKitCSSMatrix.cpp

    r192900 r196738  
    6868
    6969        TransformOperations operations;
    70         if (!transformsForValue(*value, CSSToLengthConversionData(), operations)) {
     70        if (!transformsForValue(*value, CSSToLengthConversionData(), TransformConversion::RequiresAbsoluteLength, operations)) {
    7171            ec = SYNTAX_ERR;
    7272            return;
Note: See TracChangeset for help on using the changeset viewer.