Changeset 36046 in webkit

Timestamp:

Sep 2, 2008 11:12:30 PM (16 years ago)

Author:

mrowe@apple.com

Message:

2008-09-02 Glenn Wilson <​wilsong@gmail.com>

Reviewed by Eric Seidel.

Fix ​https://bugs.webkit.org/show_bug.cgi?id=20397
Bug 20397: Invalid webkit-border-bottom-left-radius property causes crash

The function checkForOrphanedUnits() would change the length of a list whose size was
was already determined before the call to checkForOrphanedUnits was made. Later in
the caller, the old size was being used for boundary management.

This has been fixed by moving the call to checkForOrphanedUnits() earlier in the
calling function, before the size of the list is determined.

Test: fast/css/orphaned_units_crash.html

• css/CSSParser.cpp: (WebCore::CSSParser::parseValue): Moved call to checkForOrphanedUnits() earlier in the function.

2008-09-02 Glenn Wilson <​wilsong@gmail.com>

Reviewed by Eric Seidel.

Tests for ​https://bugs.webkit.org/show_bug.cgi?id=20397
Bug 20397: Invalid webkit-border-bottom-left-radius property causes crash

Added new tests to check whether an orphaned unit identifier in particular
CSS attributes will crash the browser.

• fast/css/orphaned_units_crash-expected.txt: Added.
• fast/css/orphaned_units_crash.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/css/orphaned_units_crash-expected.txt (added)
• LayoutTests/fast/css/orphaned_units_crash.html (added)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/css/CSSParser.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2008-09-02  Glenn Wilson  <wilsong@gmail.com>
+
+        Reviewed by Eric Seidel.
+
+        Tests for https://bugs.webkit.org/show_bug.cgi?id=20397
+        Bug 20397: Invalid webkit-border-bottom-left-radius property causes crash
+
+        Added new tests to check whether an orphaned unit identifier in particular
+        CSS attributes will crash the browser.
+
+        * fast/css/orphaned_units_crash-expected.txt: Added.
+        * fast/css/orphaned_units_crash.html: Added.
+
 2008-09-02  Dirk Schulze  <vbs85@gmx.de>
 

trunk/WebCore/ChangeLog

@@ +1 @@
+2008-09-02  Glenn Wilson  <wilsong@gmail.com>
+
+        Reviewed by Eric Seidel.
+
+        Fix https://bugs.webkit.org/show_bug.cgi?id=20397
+        Bug 20397: Invalid webkit-border-bottom-left-radius property causes crash
+
+        The function checkForOrphanedUnits() would change the length of a list whose size was
+        was already determined before the call to checkForOrphanedUnits was made.  Later in
+        the caller, the old size was being used for boundary management.
+
+        This has been fixed by moving the call to checkForOrphanedUnits() earlier in the
+        calling function, before the size of the list is determined.
+
+        Test: fast/css/orphaned_units_crash.html
+
+        * css/CSSParser.cpp:
+        (WebCore::CSSParser::parseValue):  Moved call to checkForOrphanedUnits() earlier in the function.
+
 2008-09-02  Dirk Schulze  <vbs85@gmx.de>
 

trunk/WebCore/css/CSSParser.cpp

@@ -531 +531 @@
     int id = value->id;
 
+    // In quirks mode, we will look for units that have been incorrectly separated from the number they belong to
+    // by a space.  We go ahead and associate the unit with the number even though it is invalid CSS.
+    checkForOrphanedUnits();
+    
     int num = inShorthand() ? 1 : m_valueList->size();
 
@@ -556 +560 @@
     bool valid_primitive = false;
     RefPtr<CSSValue> parsedValue;
-
-    // In quirks mode, we will look for units that have been incorrectly separated from the number they belong to
-    // by a space.  We go ahead and associate the unit with the number even though it is invalid CSS.
-    checkForOrphanedUnits();
 
     switch (static_cast<CSSPropertyID>(propId)) {