[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373

simon.fraser at apple.com simon.fraser at apple.com
Thu Apr 8 00:43:07 UTC 2010 

The following commit has been merged in the webkit-1.2 branch:
commit 79acc75f0593f1ccc618848d3fabf18745027c8a
Author: simon.fraser at apple.com <simon.fraser at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Sat Dec 19 00:22:34 2009 +0000

    2009-12-18  Simon Fraser  <simon.fraser at apple.com>
    
            Reviewed by Darin Adler.
    
            Crash when accessing webkitTransition property after setting webkitTransitionProperty with invalid value.
            https://bugs.webkit.org/show_bug.cgi?id=31559
    
            Fix an array bounds error when accessing the CSS value for a shorthand property that takes
            a comma-separated list, after the list for one of the component properties has been set to a different length.
    
            Test: fast/css/shorthand-mismatched-list-crash.html
    
            * css/CSSMutableStyleDeclaration.cpp:
            (WebCore::CSSMutableStyleDeclaration::getLayeredShorthandValue):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@52354 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index acaee32..6d444ac 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2009-12-18  Simon Fraser  <simon.fraser at apple.com>
+
+        Reviewed by Darin Adler.
+
+        Crash when accessing webkitTransition property after setting webkitTransitionProperty with invalid value.
+        https://bugs.webkit.org/show_bug.cgi?id=31559
+        
+        Test accessing shorthand property after setting an individual property to a longer or shorter list.
+
+        * fast/css/shorthand-mismatched-list-crash-expected.txt: Added.
+        * fast/css/shorthand-mismatched-list-crash.html: Added.
+
 2009-12-18  Jon Honeycutt  <jhoneycutt at apple.com>
 
         REGRESSION(r52233): MSAA: Accessibility role of lists is wrong
diff --git a/LayoutTests/fast/css/shorthand-mismatched-list-crash-expected.txt b/LayoutTests/fast/css/shorthand-mismatched-list-crash-expected.txt
new file mode 100644
index 0000000..f2a5226
--- /dev/null
+++ b/LayoutTests/fast/css/shorthand-mismatched-list-crash-expected.txt
@@ -0,0 +1,8 @@
+Test for WebKit bug 31559: Crash with mismatched lists and shorthands.
+
+PASS para.style.webkitTransition is "width 1s, left 1s, 1s"
+PASS para.style.webkitTransition is "width 1s, left 1s, top"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/css/shorthand-mismatched-list-crash.html b/LayoutTests/fast/css/shorthand-mismatched-list-crash.html
new file mode 100644
index 0000000..976b0b0
--- /dev/null
+++ b/LayoutTests/fast/css/shorthand-mismatched-list-crash.html
@@ -0,0 +1,34 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+<title>Test for WebKit bug 31559: Crash with mismatched lists and shorthands.</title>
+<link rel="stylesheet" href="../js/resources/js-test-style.css">
+<script src="../js/resources/js-test-pre.js"></script>
+</head>
+<body>
+  <p id="description">Test for WebKit bug <a href="https://bugs.webkit.org/show_bug.cgi?id=31559">31559</a>: Crash with mismatched lists and shorthands.</p>
+  <div id="console"></div>
+
+  <div id="test"></div>
+
+<script>
+  var para = document.getElementById('test');
+  
+  // Test longer shorthand
+  para.style.webkitTransition = 'width 1s, left 1s, top 1s';
+  para.style.webkitTransitionProperty = 'width, left';
+
+  shouldBeEqualToString("para.style.webkitTransition", "width 1s, left 1s, 1s");
+
+  // Test shorter shorthand
+  para.style.webkitTransition = 'width 1s, left 1s';
+  para.style.webkitTransitionProperty = 'width, left, top';
+
+  // the next line will crash
+  shouldBeEqualToString("para.style.webkitTransition", "width 1s, left 1s, top");
+
+    var successfullyParsed = true;
+</script>
+<script src="../js/resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 3f27a29..a0da1df 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -39,6 +39,21 @@
 
 2009-12-18  Simon Fraser  <simon.fraser at apple.com>
 
+        Reviewed by Darin Adler.
+
+        Crash when accessing webkitTransition property after setting webkitTransitionProperty with invalid value.
+        https://bugs.webkit.org/show_bug.cgi?id=31559
+        
+        Fix an array bounds error when accessing the CSS value for a shorthand property that takes
+        a comma-separated list, after the list for one of the component properties has been set to a different length.
+
+        Test: fast/css/shorthand-mismatched-list-crash.html
+
+        * css/CSSMutableStyleDeclaration.cpp:
+        (WebCore::CSSMutableStyleDeclaration::getLayeredShorthandValue):
+
+2009-12-18  Simon Fraser  <simon.fraser at apple.com>
+
         Reviewed by Mark Rowe.
 
         Remove WebCore.ClientBasedGeolocation.exp from Sources, and remove two IDL files from Resources.
diff --git a/WebCore/css/CSSMutableStyleDeclaration.cpp b/WebCore/css/CSSMutableStyleDeclaration.cpp
index b86be05..31c7507 100644
--- a/WebCore/css/CSSMutableStyleDeclaration.cpp
+++ b/WebCore/css/CSSMutableStyleDeclaration.cpp
@@ -313,7 +313,7 @@ String CSSMutableStyleDeclaration::getLayeredShorthandValue(const int* propertie
             RefPtr<CSSValue> value;
             if (values[j]) {
                 if (values[j]->isValueList())
-                    value = static_cast<CSSValueList*>(values[j].get())->itemWithoutBoundsCheck(i);
+                    value = static_cast<CSSValueList*>(values[j].get())->item(i);
                 else {
                     value = values[j];
                     

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list