Using dpi unit in sizes attribute raises SIGSEGV
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 11 Jul 2016 15:08:46 +0000 (15:08 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 11 Jul 2016 15:08:46 +0000 (15:08 +0000)
https://bugs.webkit.org/show_bug.cgi?id=159412

Patch by Fujii Hironori <Hironori.Fujii@sony.com> on 2016-07-11
Reviewed by Darin Adler.

Source/WebCore:

CSSParser::sourceSize returns a invalid CSSParser::SourceSize
whose length is a null value for a dpi unit value.  Because
CSSParserValue::createCSSValue returns null for a dpi value.

Tests:
    fast/dom/HTMLImageElement/sizes/image-sizes-invalids.html
    imported/w3c/web-platform-tests/html/semantics/embedded-content/the-img-element/sizes/parse-a-sizes-attribute.html

* css/CSSParser.cpp:
(WebCore::CSSParser::sourceSize): Create a CSSPrimitiveValue of
CSS_UNKNOWN if CSSParserValue::createCSSValue returns null.

LayoutTests:

* TestExpectations: Unskip fast/dom/HTMLImageElement/sizes.
* fast/dom/HTMLImageElement/sizes/image-sizes-invalids-expected.txt: Updated.
* fast/dom/HTMLImageElement/sizes/image-sizes-invalids.html: Added a dpi unit test case.
Renumbering element IDs.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@203060 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/TestExpectations
LayoutTests/fast/dom/HTMLImageElement/sizes/image-sizes-invalids-expected.txt
LayoutTests/fast/dom/HTMLImageElement/sizes/image-sizes-invalids.html
Source/WebCore/ChangeLog
Source/WebCore/css/CSSParser.cpp

index 083f2cf..d4470f8 100644 (file)
@@ -1,3 +1,15 @@
+2016-07-11  Fujii Hironori  <Hironori.Fujii@sony.com>
+
+        Using dpi unit in sizes attribute raises SIGSEGV
+        https://bugs.webkit.org/show_bug.cgi?id=159412
+
+        Reviewed by Darin Adler.
+
+        * TestExpectations: Unskip fast/dom/HTMLImageElement/sizes.
+        * fast/dom/HTMLImageElement/sizes/image-sizes-invalids-expected.txt: Updated.
+        * fast/dom/HTMLImageElement/sizes/image-sizes-invalids.html: Added a dpi unit test case.
+        Renumbering element IDs.
+
 2016-07-11  Eric Carlson  <eric.carlson@apple.com>
 
         Add a test for media control dropoff
index 6f12b94..c5401c6 100644 (file)
@@ -708,8 +708,6 @@ fast/images/gif-loop-count.html [ ImageOnlyFailure ]
 
 webkit.org/b/146182 editing/selection/leak-document-with-selection-inside.html [ Pass Failure ]
 
-webkit.org/b/146434 fast/dom/HTMLImageElement/sizes [ Skip ]
-
 # Media Sessions is not yet enabled by default: ENABLE(MEDIA_SESSION)
 media/session [ Skip ]
 
index 24e4018..99a6f58 100644 (file)
@@ -10,7 +10,13 @@ PASS document.getElementById(elementId).clientWidth is 800
 PASS currentSrcFileName(elementId) is "image-set-2x.png"
 PASS document.getElementById(elementId).clientWidth is 800
 PASS currentSrcFileName(elementId) is "image-set-2x.png"
+PASS document.getElementById(elementId).clientWidth is 800
+PASS currentSrcFileName(elementId) is "image-set-2x.png"
+PASS document.getElementById(elementId).clientWidth is 800
+PASS currentSrcFileName(elementId) is "image-set-2x.png"
+PASS document.getElementById(elementId).clientWidth is 800
+PASS currentSrcFileName(elementId) is "image-set-2x.png"
 PASS successfullyParsed is true
 
 TEST COMPLETE
-       
+        
index 9215abc..6201e7c 100644 (file)
@@ -7,7 +7,7 @@
 
     var elementId;
     addEventListener("load", function() {
-        for (var i = 1; i < 7; ++i) {
+        for (var i = 1; i <= 9; ++i) {
             elementId = "crash" + i;
             shouldBe('document.getElementById(elementId).clientWidth', '800');
             shouldBe('currentSrcFileName(elementId)', '"image-set-2x.png"');
 </script>
 <!-- crash tests -->
 <img id="crash1" sizes="1q" srcset="../../../hidpi/resources/image-set-2x.png 800w, ../resources/image-set-4x.png 16000w">
-<img id="crash1" sizes="1pxllll" srcset="../../../hidpi/resources/image-set-2x.png 800w, ../resources/image-set-4x.png 16000w">
-<img id="crash2" sizes="1dfsdf4534fddd" srcset="../../../hidpi/resources/image-set-2x.png 800w, ../resources/image-set-4x.png 16000w">
-<img id="crash3" sizes="calc()" srcset="../../../hidpi/resources/image-set-2x.png 800w, ../resources/image-set-4x.png 16000w">
-<img id="crash4" sizes="calc(3q)" srcset="../../../hidpi/resources/image-set-2x.png 800w, ../resources/image-set-4x.png 16000w">
-<img id="crash4" sizes="calcssdff()" srcset="../../../hidpi/resources/image-set-2x.png 800w, ../resources/image-set-4x.png 16000w">
-<img id="crash5" sizes="calc(2px+dfmjbsf,,,skidkk)" srcset="../../../hidpi/resources/image-set-2x.png 800w, ../resources/image-set-4x.png 16000w">
-<img id="crash6" sizes="calc(2px+dfmjbsf,,,skidkk) + 2px, 56px" srcset="../../../hidpi/resources/image-set-2x.png 800w, ../resources/image-set-4x.png 16000w">
+<img id="crash2" sizes="1pxllll" srcset="../../../hidpi/resources/image-set-2x.png 800w, ../resources/image-set-4x.png 16000w">
+<img id="crash3" sizes="1dfsdf4534fddd" srcset="../../../hidpi/resources/image-set-2x.png 800w, ../resources/image-set-4x.png 16000w">
+<img id="crash4" sizes="calc()" srcset="../../../hidpi/resources/image-set-2x.png 800w, ../resources/image-set-4x.png 16000w">
+<img id="crash5" sizes="calc(3q)" srcset="../../../hidpi/resources/image-set-2x.png 800w, ../resources/image-set-4x.png 16000w">
+<img id="crash6" sizes="calcssdff()" srcset="../../../hidpi/resources/image-set-2x.png 800w, ../resources/image-set-4x.png 16000w">
+<img id="crash7" sizes="calc(2px+dfmjbsf,,,skidkk)" srcset="../../../hidpi/resources/image-set-2x.png 800w, ../resources/image-set-4x.png 16000w">
+<img id="crash8" sizes="calc(2px+dfmjbsf,,,skidkk) + 2px, 56px" srcset="../../../hidpi/resources/image-set-2x.png 800w, ../resources/image-set-4x.png 16000w">
+<img id="crash9" sizes="1dpi" srcset="../../../hidpi/resources/image-set-2x.png 800w, ../resources/image-set-4x.png 16000w">
index 7753e08..81e95e4 100644 (file)
@@ -1,3 +1,22 @@
+2016-07-11  Fujii Hironori  <Hironori.Fujii@sony.com>
+
+        Using dpi unit in sizes attribute raises SIGSEGV
+        https://bugs.webkit.org/show_bug.cgi?id=159412
+
+        Reviewed by Darin Adler.
+
+        CSSParser::sourceSize returns a invalid CSSParser::SourceSize
+        whose length is a null value for a dpi unit value.  Because
+        CSSParserValue::createCSSValue returns null for a dpi value.
+
+        Tests:
+            fast/dom/HTMLImageElement/sizes/image-sizes-invalids.html
+            imported/w3c/web-platform-tests/html/semantics/embedded-content/the-img-element/sizes/parse-a-sizes-attribute.html
+
+        * css/CSSParser.cpp:
+        (WebCore::CSSParser::sourceSize): Create a CSSPrimitiveValue of
+        CSS_UNKNOWN if CSSParserValue::createCSSValue returns null.
+
 2016-07-11  Olivier Blin  <olivier.blin@softathome.com>
 
         Red and blue colors are swapped in video rendered through WebGL when GSTREAMER_GL is enabled
index 64d4c3d..233e9c4 100644 (file)
@@ -1552,8 +1552,11 @@ CSSParser::SourceSize CSSParser::sourceSize(MediaQueryExpression&& expression, C
         if (args && args->size())
             value = CSSCalcValue::create(parserValue.function->name, *args, CalculationRangeNonNegative);
     }
-    if (!value)
+    if (!value) {
         value = parserValue.createCSSValue();
+        if (!value)
+            value = CSSPrimitiveValue::create(0, CSSPrimitiveValue::CSS_UNKNOWN);
+    }
     destroy(parserValue);
     // FIXME: Calling the constructor explicitly here to work around an MSVC bug.
     // For other compilers, we did not need to define the constructors and we could use aggregate initialization syntax.