Fix null pointer deref in RenderFileUploadControl::computePreferredLogicalWidth().
authormacpherson@chromium.org <macpherson@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 10 Aug 2012 03:37:03 +0000 (03:37 +0000)
committermacpherson@chromium.org <macpherson@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 10 Aug 2012 03:37:03 +0000 (03:37 +0000)
https://bugs.webkit.org/show_bug.cgi?id=93579

Reviewed by Kent Tamura.

Source/WebCore:

Checks the upload control has a non-null button renderer before dereferencing.

Test: fast/forms/file/file-crash-by-display-none-button.html

* rendering/RenderFileUploadControl.cpp:
(WebCore::RenderFileUploadControl::computePreferredLogicalWidths):

LayoutTests:

Exercise code path that causes an upload button to exist without a renderer.

* fast/forms/file/file-crash-by-display-none-button.html: Added.
* fast/forms/file/file-crash-by-display-none-button-expected.txt: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@125243 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/forms/file/file-crash-by-display-none-button-expected.txt [new file with mode: 0644]
LayoutTests/fast/forms/file/file-crash-by-display-none-button.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderFileUploadControl.cpp

index 863686b..672e35f 100644 (file)
@@ -1,3 +1,15 @@
+2012-08-09  Luke Macpherson   <macpherson@chromium.org>
+
+        Fix null pointer deref in RenderFileUploadControl::computePreferredLogicalWidth().
+        https://bugs.webkit.org/show_bug.cgi?id=93579
+
+        Reviewed by Kent Tamura.
+
+        Exercise code path that causes an upload button to exist without a renderer.
+
+        * fast/forms/file/file-crash-by-display-none-button.html: Added.
+        * fast/forms/file/file-crash-by-display-none-button-expected.txt: Added.
+
 2012-08-09  Yuta Kitamura  <yutak@chromium.org>
 
         Unreviewed. Remove duplicate test expectation entry causing a lint error.
diff --git a/LayoutTests/fast/forms/file/file-crash-by-display-none-button-expected.txt b/LayoutTests/fast/forms/file/file-crash-by-display-none-button-expected.txt
new file mode 100644 (file)
index 0000000..8a9352d
--- /dev/null
@@ -0,0 +1 @@
+This test is successful it it does not crash. 
diff --git a/LayoutTests/fast/forms/file/file-crash-by-display-none-button.html b/LayoutTests/fast/forms/file/file-crash-by-display-none-button.html
new file mode 100644 (file)
index 0000000..a795275
--- /dev/null
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<script>
+    if (window.internals)
+        testRunner.dumpAsText();
+</script>
+<style>
+input::-webkit-file-upload-button { display: none; }
+</style>
+This test is successful it it does not crash.
+<input type="file"/>
+
index bf8d7e3..0680a11 100644 (file)
@@ -1,3 +1,17 @@
+2012-08-09  Luke Macpherson   <macpherson@chromium.org>
+
+        Fix null pointer deref in RenderFileUploadControl::computePreferredLogicalWidth().
+        https://bugs.webkit.org/show_bug.cgi?id=93579
+
+        Reviewed by Kent Tamura.
+
+        Checks the upload control has a non-null button renderer before dereferencing.
+
+        Test: fast/forms/file/file-crash-by-display-none-button.html
+
+        * rendering/RenderFileUploadControl.cpp:
+        (WebCore::RenderFileUploadControl::computePreferredLogicalWidths):
+
 2012-08-09  Kentaro Hara  <haraken@chromium.org>
 
         [V8] Rename V8BindingPerContextData to V8PerContextData
index 71e4ea4..bac5b59 100644 (file)
@@ -194,7 +194,8 @@ void RenderFileUploadControl::computePreferredLogicalWidths()
         const String label = theme()->fileListDefaultLabel(node()->toInputElement()->multiple());
         float defaultLabelWidth = font.width(constructTextRun(this, font, label, style, TextRun::AllowTrailingExpansion));
         if (HTMLInputElement* button = uploadButton())
-            defaultLabelWidth += button->renderer()->maxPreferredLogicalWidth() + afterButtonSpacing;
+            if (RenderObject* buttonRenderer = button->renderer())
+                defaultLabelWidth += buttonRenderer->maxPreferredLogicalWidth() + afterButtonSpacing;
         m_maxPreferredLogicalWidth = static_cast<int>(ceilf(max(minDefaultLabelWidth, defaultLabelWidth)));
     }