Changeset 266989 in webkit


Ignore:
Timestamp:
Sep 12, 2020 11:39:34 PM (4 years ago)
Author:
commit-queue@webkit.org
Message:

Safely handle overly-long CSS variable values
https://bugs.webkit.org/show_bug.cgi?id=216407

Patch by Tyler Wilcock <Tyler Wilcock> on 2020-09-12
Reviewed by Darin Adler.

Source/WebCore:

Per spec, treat overly long CSS variable values as invalid.

https://drafts.csswg.org/css-variables/#long-variables

Test: fast/css/variables/invalidate-overly-long-variable-values.html

  • css/CSSVariableReferenceValue.cpp:

(WebCore::resolveVariableReference):
Return false for any variable values greater than maxSubstitutionTokens long.

  • css/CSSVariableReferenceValue.h:

Add maxSubstitutionTokens.

LayoutTests:

  • fast/css/variables/invalidate-overly-long-variable-values.html: Added.
  • fast/css/variables/invalidate-overly-long-variable-values-expected.html: Added.
Location:
trunk
Files:
2 added
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r266988 r266989  
     12020-09-12  Tyler Wilcock <twilco.o@protonmail.com>
     2
     3        Safely handle overly-long CSS variable values
     4        https://bugs.webkit.org/show_bug.cgi?id=216407
     5
     6        Reviewed by Darin Adler.
     7
     8        * fast/css/variables/invalidate-overly-long-variable-values.html: Added.
     9        * fast/css/variables/invalidate-overly-long-variable-values-expected.html: Added.
     10
    1112020-09-12  Darin Adler  <darin@apple.com>
    212
  • trunk/Source/WebCore/ChangeLog

    r266987 r266989  
     12020-09-12  Tyler Wilcock  <twilco.o@protonmail.com>
     2
     3        Safely handle overly-long CSS variable values
     4        https://bugs.webkit.org/show_bug.cgi?id=216407
     5
     6        Reviewed by Darin Adler.
     7
     8        Per spec, treat overly long CSS variable values as invalid.
     9
     10        https://drafts.csswg.org/css-variables/#long-variables
     11
     12        Test: fast/css/variables/invalidate-overly-long-variable-values.html
     13
     14        * css/CSSVariableReferenceValue.cpp:
     15        (WebCore::resolveVariableReference):
     16        Return false for any variable values greater than `maxSubstitutionTokens` long.
     17        * css/CSSVariableReferenceValue.h:
     18        Add `maxSubstitutionTokens`.
     19
    1202020-09-12  Darin Adler  <darin@apple.com>
    221
  • trunk/Source/WebCore/css/CSSVariableReferenceValue.cpp

    r260340 r266989  
    103103
    104104    if (!property || property->isInvalid()) {
     105        if (fallbackResult.size() > CSSVariableReferenceValue::maxSubstitutionTokens)
     106            return false;
     107
    105108        if (fallbackReturn)
    106109            result.appendVector(fallbackResult);
     
    109112
    110113    ASSERT(property->isResolved());
     114    if (property->tokens().size() > CSSVariableReferenceValue::maxSubstitutionTokens)
     115        return false;
     116
    111117    result.appendVector(property->tokens());
    112 
    113118    return true;
    114119}
  • trunk/Source/WebCore/css/CSSVariableReferenceValue.h

    r259988 r266989  
    5050    RefPtr<CSSVariableData> resolveVariableReferences(Style::BuilderState&) const;
    5151
     52    // The maximum number of tokens that may be produced by a var()
     53    // reference or var() fallback value.
     54    // https://drafts.csswg.org/css-variables/#long-variables
     55    static constexpr size_t maxSubstitutionTokens = 65536;
     56
    5257private:
    5358    explicit CSSVariableReferenceValue(Ref<CSSVariableData>&&);
Note: See TracChangeset for help on using the changeset viewer.