Fix null pointer dereference when CSSParser::sinkFloatingValueList() returns...

Fix null pointer dereference when CSSParser::sinkFloatingValueList() returns null and is passed to storeVariableDeclaration().
https://bugs.webkit.org/show_bug.cgi?id=92461

Reviewed by Eric Seidel.

Source/WebCore:

Invalid variable lists could cause CSSGrammar.y to pass null as value to storeVariableDeclaration, so we now check for null.

Test: fast/css/variables/invalid-value-list-crash.html

* css/CSSParser.cpp:
(WebCore::CSSParser::storeVariableDeclaration):

LayoutTests:

Test case that causes CSSParser::storeVariableDeclaration to be passed a null value.

* fast/css/variables/invalid-value-list-crash-expected.txt: Added.
* fast/css/variables/invalid-value-list-crash.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@124723 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent d8a7ab68
2012-08-05 Luke Macpherson <macpherson@chromium.org>
Fix null pointer dereference when CSSParser::sinkFloatingValueList() returns null and is passed to storeVariableDeclaration().
https://bugs.webkit.org/show_bug.cgi?id=92461
Reviewed by Eric Seidel.
Test case that causes CSSParser::storeVariableDeclaration to be passed a null value.
* fast/css/variables/invalid-value-list-crash-expected.txt: Added.
* fast/css/variables/invalid-value-list-crash.html: Added.
2012-08-05 Kent Tamura <tkent@chromium.org>
[Chromium] Updte text expectation.
<script>
if (window.testRunner)
testRunner.dumpAsText();
internals.settings.setCSSVariablesEnabled(true);
</script>
<style>
div {
-webkit-var-a: -webkit-var(b) &#0;
}
</style>
This test is successful if it does not crash.
2012-08-05 Luke Macpherson <macpherson@chromium.org>
Fix null pointer dereference when CSSParser::sinkFloatingValueList() returns null and is passed to storeVariableDeclaration().
https://bugs.webkit.org/show_bug.cgi?id=92461
Reviewed by Eric Seidel.
Invalid variable lists could cause CSSGrammar.y to pass null as value to storeVariableDeclaration, so we now check for null.
Test: fast/css/variables/invalid-value-list-crash.html
* css/CSSParser.cpp:
(WebCore::CSSParser::storeVariableDeclaration):
2012-08-03 Kent Tamura <tkent@chromium.org>
[Chromium-win] Use the default locale only if the browser locale matches to it
......@@ -3025,6 +3025,10 @@ bool CSSParser::cssVariablesEnabled() const
void CSSParser::storeVariableDeclaration(const CSSParserString& name, PassOwnPtr<CSSParserValueList> value, bool important)
{
// When CSSGrammar.y encounters an invalid declaration it passes null for the CSSParserValueList, just bail.
if (!value)
return;
ASSERT(name.length > 12);
AtomicString variableName = String(name.characters + 12, name.length - 12);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment