Michael Goddard <michael.goddard@trolltech.com>
authorhausmann@webkit.org <hausmann@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 24 Jan 2008 14:18:34 +0000 (14:18 +0000)
committerhausmann@webkit.org <hausmann@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 24 Jan 2008 14:18:34 +0000 (14:18 +0000)
http://bugs.webkit.org/show_bug.cgi?id=16888

Fix for CSS crash in -webkit-border-image.
Reviewed by Darin.

While parsing -webkit-border-image, store
the border widths as naked pointers rather
than as OwnPtrs, since they point to the
middle of an array.

Test: fast/css/border-image-crash.html

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@29764 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/css/border-image-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/css/border-image-crash.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/css/CSSParser.cpp

index 28083fa..974cbaa 100644 (file)
@@ -1,3 +1,12 @@
+2008-01-15  Michael Goddard  <michael.goddard@trolltech.com>
+
+        Reviewed by Darin.
+
+        Add a test for a crash encountered with -webkit-border-image.
+
+        * fast/css/border-image-crash-expected.txt: Added.
+        * fast/css/border-image-crash.html: Added.
+
 2008-01-23  Alexey Proskuryakov  <ap@webkit.org>
 
         Reviewed by Darin.
diff --git a/LayoutTests/fast/css/border-image-crash-expected.txt b/LayoutTests/fast/css/border-image-crash-expected.txt
new file mode 100644 (file)
index 0000000..8249586
--- /dev/null
@@ -0,0 +1,3 @@
+Test for crash discovered with -webkit-border-image. If this text appears, the test passed.
+
+
diff --git a/LayoutTests/fast/css/border-image-crash.html b/LayoutTests/fast/css/border-image-crash.html
new file mode 100644 (file)
index 0000000..0bbe36e
--- /dev/null
@@ -0,0 +1,16 @@
+<html>
+<head>
+    <title></title>
+    <script>
+        if (window.layoutTestController)
+            layoutTestController.dumpAsText();
+    </script>
+</head>
+<body>
+    <p>
+        Test for crash discovered with -webkit-border-image.  If this text appears, the test passed.
+    </p>
+    <p>
+        <div style="-webkit-border-image: url(resources/greenbox.png) 0 7 0 13 / 0 7 0 13 stretch stretch; width:100; height:100;"></div></p>
+</body>
+</html>
index aef2d1a..1d3fe62 100644 (file)
@@ -1,3 +1,16 @@
+2008-01-15  Michael Goddard  <michael.goddard@trolltech.com>
+
+        Reviewed by Darin.
+
+        While parsing -webkit-border-image, store
+        the border widths as naked pointers rather
+        than as OwnPtrs, since they point to the
+        middle of an array.
+
+        Test: fast/css/border-image-crash.html
+
+        * css/CSSParser.cpp:
+
 2008-01-24  Holger Hans Peter Freyther  <holger.freyther@trolltech.com>
 
         Reviewed by Simon.
index 15501db..9335063 100644 (file)
@@ -3211,14 +3211,14 @@ struct BorderImageParseContext
     void commitSlash() { m_allowBreak = m_allowSlash = m_allowNumber = false; m_allowWidth = true; }
     void commitWidth(Value* val) {
         if (!m_borderTop)
-            m_borderTop.set(val);
+            m_borderTop = val;
         else if (!m_borderRight)
-            m_borderRight.set(val);
+            m_borderRight = val;
         else if (!m_borderBottom)
-            m_borderBottom.set(val);
+            m_borderBottom = val;
         else {
             ASSERT(!m_borderLeft);
-            m_borderLeft.set(val);
+            m_borderLeft = val;
         }
 
         m_allowBreak = m_allowRule = true;
@@ -3291,10 +3291,10 @@ struct BorderImageParseContext
     RefPtr<CSSPrimitiveValue> m_bottom;
     RefPtr<CSSPrimitiveValue> m_left;
     
-    OwnPtr<Value> m_borderTop;
-    OwnPtr<Value> m_borderRight;
-    OwnPtr<Value> m_borderBottom;
-    OwnPtr<Value> m_borderLeft;
+    Value* m_borderTop;
+    Value* m_borderRight;
+    Value* m_borderBottom;
+    Value* m_borderLeft;
     
     int m_horizontalRule;
     int m_verticalRule;