Bad cast from CSSInitialValue to CSSValueList
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 21 Sep 2013 04:13:52 +0000 (04:13 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 21 Sep 2013 04:13:52 +0000 (04:13 +0000)
https://bugs.webkit.org/show_bug.cgi?id=121729

Source/WebCore:

Reviewed by Beth Dakin.

Merge https://chromium.googlesource.com/chromium/blink/+/fcfaa51f9207b32cffe751c1a1380a921e464cbb

The issue was that we would cast to CSSValueList without checking
the type of the CSSValue. After this change, we use the ASSERT'ing
cast and explicitly check the type of the CSSValue before the cast.

Test: fast/css/crash-inherit-value-font-family.html

* css/CSSParser.cpp:
(WebCore::CSSParser::parseFontFaceValue):

LayoutTests:

Reviewed by Beth Dakin.

Add a regression test. This is not a merge since the test in the Blink change involves
superfluous execCommand calls.

* fast/css/crash-inherit-value-font-family-expected.txt: Added.
* fast/css/crash-inherit-value-font-family.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@156222 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/css/crash-inherit-value-font-family-expected.txt [new file with mode: 0644]
LayoutTests/fast/css/crash-inherit-value-font-family.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/css/CSSParser.cpp

index 2168529ca1f21c5a3f6466224c29b1b780d4d984..fede2bb198798e6d860cb5e45989c0aea2392976 100644 (file)
@@ -1,3 +1,16 @@
+2013-09-20  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Bad cast from CSSInitialValue to CSSValueList
+        https://bugs.webkit.org/show_bug.cgi?id=121729
+
+        Reviewed by Beth Dakin.
+        
+        Add a regression test. This is not a merge since the test in the Blink change involves
+        superfluous execCommand calls.
+
+        * fast/css/crash-inherit-value-font-family-expected.txt: Added.
+        * fast/css/crash-inherit-value-font-family.html: Added.
+
 2013-09-20  Alexandru Chiculita  <achicu@adobe.com>
 
         Web Inspector: [CSS Regions] Display CSS Regions chain when highlighting a CSS Region node
diff --git a/LayoutTests/fast/css/crash-inherit-value-font-family-expected.txt b/LayoutTests/fast/css/crash-inherit-value-font-family-expected.txt
new file mode 100644 (file)
index 0000000..581c297
--- /dev/null
@@ -0,0 +1,3 @@
+WebKit shouldn't crash on font face values "initial" and "inherit". You should see PASS below.
+
+PASS
diff --git a/LayoutTests/fast/css/crash-inherit-value-font-family.html b/LayoutTests/fast/css/crash-inherit-value-font-family.html
new file mode 100644 (file)
index 0000000..b6c2a8e
--- /dev/null
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>WebKit shouldn't crash on font face values "initial" and "inherit". You should see PASS below.</p>
+<font face="inherit"></font>
+<font face="initial"></font>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+document.write('PASS');
+</script>
+</body>
+</html>
index eb3ac22715bc36ca59a4926f6a5f6b5266665d00..cac04115c5df7144649fcdd4a65873e264767627 100644 (file)
@@ -1,3 +1,21 @@
+2013-09-20  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Bad cast from CSSInitialValue to CSSValueList
+        https://bugs.webkit.org/show_bug.cgi?id=121729
+
+        Reviewed by Beth Dakin.
+
+        Merge https://chromium.googlesource.com/chromium/blink/+/fcfaa51f9207b32cffe751c1a1380a921e464cbb
+
+        The issue was that we would cast to CSSValueList without checking
+        the type of the CSSValue. After this change, we use the ASSERT'ing
+        cast and explicitly check the type of the CSSValue before the cast.
+
+        Test: fast/css/crash-inherit-value-font-family.html
+
+        * css/CSSParser.cpp:
+        (WebCore::CSSParser::parseFontFaceValue):
+
 2013-09-20  Zoltan Horvath  <zoltan@webkit.org>
 
         Remove includes from LineWidth.h
index 7e0e2940fb1abd01dba53fa65f3c072699bd0f67..d17931e8d08055ec8cfebd2e5ccf7a4c68ad0cc9 100644 (file)
@@ -1297,7 +1297,11 @@ PassRefPtr<CSSValueList> CSSParser::parseFontFaceValue(const AtomicString& strin
     RefPtr<MutableStylePropertySet> dummyStyle = MutableStylePropertySet::create();
     if (!parseValue(dummyStyle.get(), CSSPropertyFontFamily, string, false, CSSQuirksMode, 0))
         return 0;
-    return static_pointer_cast<CSSValueList>(dummyStyle->getPropertyCSSValue(CSSPropertyFontFamily));
+
+    RefPtr<CSSValue> fontFamily = dummyStyle->getPropertyCSSValue(CSSPropertyFontFamily);
+    if (!fontFamily->isValueList())
+        return 0; // FIXME: "initial" and "inherit" should be parsed as font names in the face attribute.
+    return static_pointer_cast<CSSValueList>(fontFamily.release());
 }
 
 #if ENABLE(CSS_VARIABLES)