Changeset 217227 in webkit

Timestamp:

May 22, 2017 11:16:18 AM (7 years ago)

Author:

Antti Koivisto

Message:

Crash in WebCore::StyleRuleKeyframes::findKeyframeIndex
​https://bugs.webkit.org/show_bug.cgi?id=170756
<rdar://problem/31573157>

Reviewed by Andreas Kling.

Source/WebCore:

Using a malformed key with CSSKeyframesRule.findRule crashes because
CSSParser::parseKeyframeKeyList returns null which is then dereferenced.

• css/CSSKeyframesRule.cpp:

(WebCore::StyleRuleKeyframes::findKeyframeIndex): Null test.

LayoutTests:

Expand the tests to cover the malformed key case.

• animations/keyframes-rule.html:
• animations/unprefixed-keyframes-rule.html:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/animations/keyframes-rule-expected.txt (modified) (1 diff)
• LayoutTests/animations/keyframes-rule.html (modified) (1 diff)
• LayoutTests/animations/unprefixed-keyframes-rule-expected.txt (modified) (1 diff)
• LayoutTests/animations/unprefixed-keyframes-rule.html (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/css/CSSKeyframesRule.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2017-05-22  Antti Koivisto  <antti@apple.com>
+
+        Crash in WebCore::StyleRuleKeyframes::findKeyframeIndex
+        https://bugs.webkit.org/show_bug.cgi?id=170756
+        <rdar://problem/31573157>
+
+        Reviewed by Andreas Kling.
+
+        Expand the tests to cover the malformed key case.
+
+        * animations/keyframes-rule.html:
+        * animations/unprefixed-keyframes-rule.html:
+
 2017-05-22  youenn fablet  <youenn@apple.com>
 

trunk/LayoutTests/animations/keyframes-rule-expected.txt

@@ -58 +58 @@
 PASS Non-existent rule was not found
 
+Try to find a rule using a malformed key
+PASS rule is null
+
 Delete a rule
 PASS rules2.length is 2

trunk/LayoutTests/animations/keyframes-rule.html

@@ -162 +162 @@
 
 debug("");
+debug("Try to find a rule using a malformed key");
+
+rule = keyframes2.findRule("1");
+
+shouldBe("rule", "null");
+
+debug("");
 debug("Delete a rule");
 

trunk/LayoutTests/animations/unprefixed-keyframes-rule-expected.txt

@@ -58 +58 @@
 PASS Non-existent rule was not found
 
+Try to find a rule using a malformed key
+PASS rule is null
+
 Delete a rule
 PASS rules2.length is 2

trunk/LayoutTests/animations/unprefixed-keyframes-rule.html

@@ -162 +162 @@
 
 debug("");
+debug("Try to find a rule using a malformed key");
+
+rule = keyframes2.findRule("1");
+
+shouldBe("rule", "null");
+
+debug("");
 debug("Delete a rule");
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-05-22  Antti Koivisto  <antti@apple.com>
+
+        Crash in WebCore::StyleRuleKeyframes::findKeyframeIndex
+        https://bugs.webkit.org/show_bug.cgi?id=170756
+        <rdar://problem/31573157>
+
+        Reviewed by Andreas Kling.
+
+        Using a malformed key with CSSKeyframesRule.findRule crashes because
+        CSSParser::parseKeyframeKeyList returns null which is then dereferenced.
+
+        * css/CSSKeyframesRule.cpp:
+        (WebCore::StyleRuleKeyframes::findKeyframeIndex): Null test.
+
 2017-05-22  Wenson Hsieh  <wenson_hsieh@apple.com>
 

trunk/Source/WebCore/css/CSSKeyframesRule.cpp

@@ -106 +106 @@
     auto keys = CSSParser::parseKeyframeKeyList(key);
 
+    if (!keys)
+        return notFound;
+
     for (size_t i = m_keyframes.size(); i--; ) {
         if (m_keyframes[i]->keys() == *keys)