Reviewed by Mitz.
authorrwlbuis <rwlbuis@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 11 Oct 2006 18:19:34 +0000 (18:19 +0000)
committerrwlbuis <rwlbuis@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 11 Oct 2006 18:19:34 +0000 (18:19 +0000)
        http://bugs.webkit.org/show_bug.cgi?id=11221
        REGRESSION: iExploder crash due to style="cursor: url()"

        Take better care of empty cursor lists.

        Test: fast/css/invalid-cursor-property-crash.html

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@16991 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/css/invalid-cursor-property-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/css/invalid-cursor-property-crash.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/css/cssparser.cpp

index 022ece6c34b30d9eb3d7c0a9aec93c8cbe2782dd..34be4805b67c6c825c68aaf755df12645005e7ed 100644 (file)
@@ -1,3 +1,14 @@
+2006-10-11  Rob Buis  <buis@kde.org>
+
+        Reviewed by Mitz.
+
+        Testcase for:
+        http://bugs.webkit.org/show_bug.cgi?id=11221
+        REGRESSION: iExploder crash due to style="cursor: url()"
+
+        * fast/css/invalid-cursor-property-crash-expected.txt: Added.
+        * fast/css/invalid-cursor-property-crash.html: Added.
+
 2006-10-11  Antti Koivisto  <koivisto@iki.fi>
 
         Reviewed by Hyatt.
 2006-10-11  Antti Koivisto  <koivisto@iki.fi>
 
         Reviewed by Hyatt.
diff --git a/LayoutTests/fast/css/invalid-cursor-property-crash-expected.txt b/LayoutTests/fast/css/invalid-cursor-property-crash-expected.txt
new file mode 100644 (file)
index 0000000..01d994f
--- /dev/null
@@ -0,0 +1,3 @@
+This tests that the invalid cursor property value does not get applied. See Bug 11221.
+SUCCESS
+
diff --git a/LayoutTests/fast/css/invalid-cursor-property-crash.html b/LayoutTests/fast/css/invalid-cursor-property-crash.html
new file mode 100644 (file)
index 0000000..2a66f5b
--- /dev/null
@@ -0,0 +1,21 @@
+<html>
+<head>
+    <script>
+    function runTest() {
+        if (window.layoutTestController)
+            layoutTestController.dumpAsText();
+            
+        var d = document.getElementById('theDiv');
+        var style = document.defaultView.getComputedStyle(d, '');
+        
+        if (style && style.cursor == 'auto')
+            document.getElementById('result').innerHTML = 'SUCCESS';            
+    }
+    </script>
+</head>
+<body onload="runTest()">
+<div id="theDiv" style="cursor: url()">
+<div>This tests that the invalid cursor property value does not get applied. See Bug 11221.</div>
+<div id="result">FAILURE</div>
+</body>
+</html>
index 393f3062b8c23e2622330e33593ffe3eef76b7c8..4ff832acdd7b51c8bb2cc9d0e97badcb44da8755 100644 (file)
@@ -1,3 +1,17 @@
+2006-10-11  Rob Buis  <buis@kde.org>
+
+        Reviewed by Mitz.
+
+        http://bugs.webkit.org/show_bug.cgi?id=11221
+        REGRESSION: iExploder crash due to style="cursor: url()"
+
+        Take better care of empty cursor lists.
+
+        Test: fast/css/invalid-cursor-property-crash.html
+
+        * css/cssparser.cpp:
+        (WebCore::CSSParser::parseValue):
+
 2006-10-11  Adam Roben  <aroben@apple.com>
 
         Fixing Windows for real this time.
 2006-10-11  Adam Roben  <aroben@apple.com>
 
         Fixing Windows for real this time.
index 8e02f3918f0d6e249449d8e2d2a14248fcb98469..7195f0a17275ed229cbf4c5fbd24a22499754521 100644 (file)
@@ -702,6 +702,8 @@ bool CSSParser::parseValue(int propId, bool important)
         // ns-resize | nesw-resize | nwse-resize | col-resize | row-resize | text | wait | help ] ] | inherit
         CSSValueList* list = 0;
         while (value && value->unit == CSSPrimitiveValue::CSS_URI) {
         // ns-resize | nesw-resize | nwse-resize | col-resize | row-resize | text | wait | help ] ] | inherit
         CSSValueList* list = 0;
         while (value && value->unit == CSSPrimitiveValue::CSS_URI) {
+            if (!list)
+                list = new CSSValueList; 
             String uri = parseURL(domString(value->string));
             Vector<int> coords;
             value = valueList->next();
             String uri = parseURL(domString(value->string));
             Vector<int> coords;
             value = valueList->next();
@@ -720,28 +722,28 @@ bool CSSParser::parseValue(int propId, bool important)
                 hotspot = IntPoint(coords[0], coords[1]);
             if (strict || coords.size() == 0) {
 #ifdef SVG_SUPPORT
                 hotspot = IntPoint(coords[0], coords[1]);
             if (strict || coords.size() == 0) {
 #ifdef SVG_SUPPORT
-            if (uri.startsWith("#")) {
-                if (!list)
-                    list = new CSSValueList; 
-                list->append(new CSSPrimitiveValue(uri, CSSPrimitiveValue::CSS_URI));
-            } else
+                if (uri.startsWith("#"))
+                    list->append(new CSSPrimitiveValue(uri, CSSPrimitiveValue::CSS_URI));
+                else
 #endif
 #endif
-            if (!uri.isEmpty()) {
-                if (!list)
-                    list = new CSSValueList; 
-                list->append(new CSSCursorImageValue(
-                             String(KURL(styleElement->baseURL().deprecatedString(), uri.deprecatedString()).url()),
-                             hotspot, styleElement));
-            }
+                if (!uri.isEmpty()) {
+                    list->append(new CSSCursorImageValue(
+                                 String(KURL(styleElement->baseURL().deprecatedString(), uri.deprecatedString()).url()),
+                                 hotspot, styleElement));
+                }
             }
             }
-            if ((strict && !value) || (value && !(value->unit == Value::Operator && value->iValue == ',')))
+            if ((strict && !value) || (value && !(value->unit == Value::Operator && value->iValue == ','))) {
+                delete list;
                 return false;
                 return false;
+            }
             value = valueList->next(); // comma
         }
         if (list) {
             if (!value) { // no value after url list (MSIE 5 compatibility)
             value = valueList->next(); // comma
         }
         if (list) {
             if (!value) { // no value after url list (MSIE 5 compatibility)
-                if (list->length() > 1)
+                if (list->length() != 1) {
+                    delete list;
                     return false;
                     return false;
+                }
             } else if (!strict && value->id == CSS_VAL_HAND) // MSIE 5 compatibility :/
                 list->append(new CSSPrimitiveValue(CSS_VAL_POINTER));
             else if (value && value->id >= CSS_VAL_AUTO && value->id <= CSS_VAL_HELP)
             } else if (!strict && value->id == CSS_VAL_HAND) // MSIE 5 compatibility :/
                 list->append(new CSSPrimitiveValue(CSS_VAL_POINTER));
             else if (value && value->id >= CSS_VAL_AUTO && value->id <= CSS_VAL_HELP)