Skip to content
  • svillar@igalia.com's avatar
    Null-pointer dereference in WebCore::CSSValue::isPrimitiveValue · 93a7060d
    svillar@igalia.com authored
    https://bugs.webkit.org/show_bug.cgi?id=124769
    
    Reviewed by Andreas Kling.
    
    Source/WebCore:
    
    Test: fast/gradients/crash-on-no-position-separator.html
    
    The function parseFillPosition() may not return valid values for
    centerX and centerY if the input data is malformed. We need to
    check that we get a valid pair of positions before checking that
    they're actually valid primitive values in the assertions.
    
    * css/CSSParser.cpp:
    (WebCore::CSSParser::parseRadialGradient):
    
    LayoutTests:
    
    Checks that invalid position declarations (like skiping the comma
    separator) do not make the engine crash.
    
    * fast/gradients/crash-on-no-position-separator-expected.txt: Added.
    * fast/gradients/crash-on-no-position-separator.html: Added.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@162344 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    93a7060d