Changeset 86771 in webkit

Timestamp:

May 18, 2011 9:08:39 AM (13 years ago)

Author:

rwlbuis@webkit.org

Message:

2011-05-18 Rob Buis <​rbuis@rim.com>

Reviewed by Nikolas Zimmermann.

NULL deref when SVG elements have table styles
​https://bugs.webkit.org/show_bug.cgi?id=45561

Restrict computed CSS values for SVG display property to block, inline or none.

Tests: svg/custom/display-table-caption-foreignObject.svg

svg/custom/display-table-caption-inherit-foreignObject.xhtml
svg/custom/display-table-caption-inherit-text.xhtml
svg/custom/display-table-caption-text.svg

• css/CSSStyleSelector.cpp: (WebCore::SVGDisplayPropertyGuard::SVGDisplayPropertyGuard): (WebCore::SVGDisplayPropertyGuard::~SVGDisplayPropertyGuard): (WebCore::isAcceptableForSVGElement): (WebCore::CSSStyleSelector::applyProperty):

2011-05-18 Rob Buis <​rbuis@rim.com>

Reviewed by Nikolas Zimmermann.

NULL deref when SVG elements have table styles
​https://bugs.webkit.org/show_bug.cgi?id=45561

• svg/custom/display-table-caption-foreignObject-expected.txt: Added.
• svg/custom/display-table-caption-foreignObject.svg: Added.
• svg/custom/display-table-caption-inherit-foreignObject-expected.txt: Added.
• svg/custom/display-table-caption-inherit-foreignObject.xhtml: Added.
• svg/custom/display-table-caption-inherit-text-expected.txt: Added.
• svg/custom/display-table-caption-inherit-text.xhtml: Added.
• svg/custom/display-table-caption-text-expected.txt: Added.
• svg/custom/display-table-caption-text.svg: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/svg/custom/display-table-caption-foreignObject-expected.txt (added)
• LayoutTests/svg/custom/display-table-caption-foreignObject.svg (added)
• LayoutTests/svg/custom/display-table-caption-inherit-foreignObject-expected.txt (added)
• LayoutTests/svg/custom/display-table-caption-inherit-foreignObject.xhtml (added)
• LayoutTests/svg/custom/display-table-caption-inherit-text-expected.txt (added)
• LayoutTests/svg/custom/display-table-caption-inherit-text.xhtml (added)
• LayoutTests/svg/custom/display-table-caption-text-expected.txt (added)
• LayoutTests/svg/custom/display-table-caption-text.svg (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/css/CSSStyleSelector.cpp (modified) (4 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-05-18  Rob Buis  <rbuis@rim.com>
+
+        Reviewed by Nikolas Zimmermann.
+
+        NULL deref when SVG elements have table styles 
+        https://bugs.webkit.org/show_bug.cgi?id=45561
+
+        * svg/custom/display-table-caption-foreignObject-expected.txt: Added.
+        * svg/custom/display-table-caption-foreignObject.svg: Added.
+        * svg/custom/display-table-caption-inherit-foreignObject-expected.txt: Added.
+        * svg/custom/display-table-caption-inherit-foreignObject.xhtml: Added.
+        * svg/custom/display-table-caption-inherit-text-expected.txt: Added.
+        * svg/custom/display-table-caption-inherit-text.xhtml: Added.
+        * svg/custom/display-table-caption-text-expected.txt: Added.
+        * svg/custom/display-table-caption-text.svg: Added.
+
 2011-05-18  Adam Roben  <aroben@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-05-18  Rob Buis  <rbuis@rim.com>
+
+        Reviewed by Nikolas Zimmermann.
+
+        NULL deref when SVG elements have table styles 
+        https://bugs.webkit.org/show_bug.cgi?id=45561
+
+        Restrict computed CSS values for SVG display property to block, inline or none.
+
+        Tests: svg/custom/display-table-caption-foreignObject.svg
+               svg/custom/display-table-caption-inherit-foreignObject.xhtml
+               svg/custom/display-table-caption-inherit-text.xhtml
+               svg/custom/display-table-caption-text.svg
+
+        * css/CSSStyleSelector.cpp:
+        (WebCore::SVGDisplayPropertyGuard::SVGDisplayPropertyGuard):
+        (WebCore::SVGDisplayPropertyGuard::~SVGDisplayPropertyGuard):
+        (WebCore::isAcceptableForSVGElement):
+        (WebCore::CSSStyleSelector::applyProperty):
+
 2011-05-18  Pavel Feldman  <pfeldman@google.com>
 

trunk/Source/WebCore/css/CSSStyleSelector.cpp

@@ -8 +8 @@
  * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.torchmobile.com/)
  * Copyright (c) 2011, Code Aurora Forum. All rights reserved.
+ * Copyright (C) Research In Motion Limited 2011. All rights reserved.
  *
  * This library is free software; you can redistribute it and/or
@@ -3541 +3542 @@
 }
 
+class SVGDisplayPropertyGuard {
+    WTF_MAKE_NONCOPYABLE(SVGDisplayPropertyGuard);
+public:
+    SVGDisplayPropertyGuard(Element*, RenderStyle*);
+    ~SVGDisplayPropertyGuard();
+private:
+#if ENABLE(SVG)
+    RenderStyle* m_style;
+    EDisplay m_originalDisplayPropertyValue;
+#endif
+};
+
+#if !ENABLE(SVG)
+inline SVGDisplayPropertyGuard::SVGDisplayPropertyGuard(Element*, RenderStyle*)
+{
+}
+
+inline SVGDisplayPropertyGuard::~SVGDisplayPropertyGuard()
+{
+}
+#else
+static inline bool isAcceptableForSVGElement(EDisplay displayPropertyValue)
+{
+    return displayPropertyValue == INLINE || displayPropertyValue == BLOCK || displayPropertyValue == NONE;
+}
+
+inline SVGDisplayPropertyGuard::SVGDisplayPropertyGuard(Element* element, RenderStyle* style)
+{
+    if (!(element && element->isSVGElement() && style->styleType() == NOPSEUDO)) {
+        m_originalDisplayPropertyValue = NONE;
+        m_style = 0;
+        return;
+    }
+    m_style = style;
+    m_originalDisplayPropertyValue = style->display();
+    ASSERT(isAcceptableForSVGElement(m_originalDisplayPropertyValue));
+}
+
+inline SVGDisplayPropertyGuard::~SVGDisplayPropertyGuard()
+{
+    if (!m_style || isAcceptableForSVGElement(m_style->display()))
+        return;
+    m_style->setDisplay(m_originalDisplayPropertyValue);
+}
+#endif
+
+
 // SVG handles zooming in a different way compared to CSS. The whole document is scaled instead
 // of each individual length value in the render style / tree. CSSPrimitiveValue::computeLength*()
@@ -3612 +3660 @@
         HANDLE_INHERIT_AND_INITIAL_AND_PRIMITIVE(clear, Clear)
         return;
-    case CSSPropertyDisplay:
+    case CSSPropertyDisplay: {
+        SVGDisplayPropertyGuard guard(m_element, m_style.get());
         HANDLE_INHERIT_AND_INITIAL_AND_PRIMITIVE(display, Display)
 #if ENABLE(WCSS)
@@ -3630 +3679 @@
 #endif
         return;
+    }
     case CSSPropertyEmptyCells:
         HANDLE_INHERIT_AND_INITIAL_AND_PRIMITIVE(emptyCells, EmptyCells)