Context Navigation

← Previous Changeset
Next Changeset →

Changeset 258625 in webkit

Timestamp:

Mar 17, 2020 10:47:14 PM (4 years ago)

Author:

commit-queue@webkit.org

Message:

Crash in CSSPrimitiveValue::cleanup
https://bugs.webkit.org/show_bug.cgi?id=208316

Patch by Pinki Gyanchandani <pgyanchandani@apple.com> on 2020-03-17
Reviewed by Ryosuke Niwa.

Source/WebCore:

Added a NULL check before calling deref() for CSSUnitType :: CSS_CALC.

During initialization of CSSCalcValue, createCSS returns nullptr when processing min() operator
and there is a category mismatch between length and percent for min() operator
as seen in this newly added test case.

Test: editing/execCommand/primitive-value-cleanup-minimal.html

css/CSSPrimitiveValue.cpp:

(WebCore::CSSPrimitiveValue::cleanup):

LayoutTests:

Added modified version of testcase attached in 208316. Minimized version provided by Ryosuke Niwa.

editing/execCommand/primitive-value-cleanup-minimal-expected.txt: Added.
editing/execCommand/primitive-value-cleanup-minimal.html: Added.

Location:

trunk

Files:

: 2 added
: 3 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/editing/execCommand/primitive-value-cleanup-minimal-expected.txt (added)
LayoutTests/editing/execCommand/primitive-value-cleanup-minimal.html (added)
Source/WebCore/ChangeLog (modified) (1 diff)
Source/WebCore/css/CSSPrimitiveValue.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r258619
+                      r258625
+-03-17  Pinki Gyanchandani  <pgyanchandani@apple.com>
+        Crash in CSSPrimitiveValue::cleanup
+        https://bugs.webkit.org/show_bug.cgi?id=208316
+        Reviewed by Ryosuke Niwa.
+        Added modified version of testcase attached in 208316. Minimized version provided by Ryosuke Niwa.
+        * editing/execCommand/primitive-value-cleanup-minimal-expected.txt: Added.
+        * editing/execCommand/primitive-value-cleanup-minimal.html: Added.
 -03-17  Lauro Moura  <lmoura@igalia.com>

trunk/Source/WebCore/ChangeLog

-                      r258614
+                      r258625
+-03-17  Pinki Gyanchandani  <pgyanchandani@apple.com>
+        Crash in CSSPrimitiveValue::cleanup
+        https://bugs.webkit.org/show_bug.cgi?id=208316
+        Reviewed by Ryosuke Niwa.
+        Added a NULL check before calling deref() for CSSUnitType :: CSS_CALC.
+        During initialization of CSSCalcValue, createCSS returns nullptr when processing min() operator
+        and there is a category mismatch between length and percent for min() operator
+        as seen in this newly added test case.
+        Test: editing/execCommand/primitive-value-cleanup-minimal.html
+        * css/CSSPrimitiveValue.cpp:
+        (WebCore::CSSPrimitiveValue::cleanup):
 -03-17  Fujii Hironori  <Hironori.Fujii@sony.com>

trunk/Source/WebCore/css/CSSPrimitiveValue.cpp

-                      r256494
+                      r258625
         break;
     case CSSUnitType::CSS_CALC:
+        m_value.calc->deref();
+        if (m_value.calc)
+            m_value.calc->deref();
         break;
     case CSSUnitType::CSS_CALC_PERCENTAGE_WITH_NUMBER:

Note: See TracChangeset for help on using the changeset viewer.