[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.17-1283-gcf603cf

abarth at webkit.org abarth at webkit.org
Tue Jan 5 23:42:55 UTC 2010 

The following commit has been merged in the webkit-1.1 branch:
commit 8be19c5f457a3191569ff8e71b419834eca8e95e
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Sat Dec 5 17:50:53 2009 +0000

    2009-12-05  Adam Langley  <agl at google.com>
    
            Reviewed by Adam Barth.
    
            Check that a CSS format() argument is of a valid type.
    
            https://bugs.webkit.org/show_bug.cgi?id=31815
            http://code.google.com/p/chromium/issues/detail?id=28582
    
            * fast/css/url-format-non-string-expected.txt: Added
            * fast/css/url-format-non-string.html: Added.
    2009-12-05  Adam Langley  <agl at google.com>
    
            Reviewed by Adam Barth.
    
            Check that a CSS format() argument is of a valid type.
    
            https://bugs.webkit.org/show_bug.cgi?id=31815
            http://code.google.com/p/chromium/issues/detail?id=28582
    
            Test: fast/css/url-format-non-string.html
    
            * css/CSSParser.cpp:
            (WebCore::CSSParser::parseFontFaceSrc):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@51727 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 80a53c4..cee6e54 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2009-12-05  Adam Langley  <agl at google.com>
+
+        Reviewed by Adam Barth.
+
+        Check that a CSS format() argument is of a valid type.
+
+        https://bugs.webkit.org/show_bug.cgi?id=31815
+        http://code.google.com/p/chromium/issues/detail?id=28582
+
+        * fast/css/url-format-non-string-expected.txt: Added
+        * fast/css/url-format-non-string.html: Added.
+
 2009-12-04  Kent Hansen  <kent.hansen at nokia.com>
 
         Reviewed by Darin Adler.
diff --git a/LayoutTests/editing/selection/doubleclick-whitespace-img-crash-expected.txt b/LayoutTests/fast/css/url-format-non-string-expected.txt
similarity index 100%
copy from LayoutTests/editing/selection/doubleclick-whitespace-img-crash-expected.txt
copy to LayoutTests/fast/css/url-format-non-string-expected.txt
diff --git a/LayoutTests/fast/css/url-format-non-string.html b/LayoutTests/fast/css/url-format-non-string.html
new file mode 100644
index 0000000..caf5dd7
--- /dev/null
+++ b/LayoutTests/fast/css/url-format-non-string.html
@@ -0,0 +1,19 @@
+<html>
+  <head>
+    <script>
+      if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+    </script>
+
+    <style media="all" type="text/css">
+      body {
+        src: url() format(attr(r));
+      }
+    </style>
+  </head>
+    <!-- This previously triggered the use of uninitialised memory. Thanks to
+         Robert Swiecki for the test case. -->
+    <p>PASS</p>
+  <body>
+  </body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 4bf7f58..93631dc 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2009-12-05  Adam Langley  <agl at google.com>
+
+        Reviewed by Adam Barth.
+
+        Check that a CSS format() argument is of a valid type.
+
+        https://bugs.webkit.org/show_bug.cgi?id=31815
+        http://code.google.com/p/chromium/issues/detail?id=28582
+
+        Test: fast/css/url-format-non-string.html
+
+        * css/CSSParser.cpp:
+        (WebCore::CSSParser::parseFontFaceSrc):
+
 2009-12-04  Adam Langley  <agl at google.com>
 
         Reviewed by Eric Seidel.
diff --git a/WebCore/css/CSSParser.cpp b/WebCore/css/CSSParser.cpp
index 5e09f10..b4beaba 100644
--- a/WebCore/css/CSSParser.cpp
+++ b/WebCore/css/CSSParser.cpp
@@ -3337,6 +3337,12 @@ bool CSSParser::parseFontWeight(bool important)
     return false;
 }
 
+static bool isValidFormatFunction(CSSParserValue* val)
+{
+    CSSParserValueList* args = val->function->args;
+    return equalIgnoringCase(val->function->name, "format(") && (args->current()->unit == CSSPrimitiveValue::CSS_STRING || args->current()->unit == CSSPrimitiveValue::CSS_IDENT);
+}
+
 bool CSSParser::parseFontFaceSrc()
 {
     RefPtr<CSSValueList> values(CSSValueList::createCommaSeparated());
@@ -3364,7 +3370,7 @@ bool CSSParser::parseFontFaceSrc()
                     CSSParserValue* a = args->current();
                     uriValue.clear();
                     parsedValue = CSSFontFaceSrcValue::createLocal(a->string);
-                } else if (equalIgnoringCase(val->function->name, "format(") && allowFormat && uriValue) {
+                } else if (allowFormat && uriValue && isValidFormatFunction(val)) {
                     expectComma = true;
                     allowFormat = false;
                     uriValue->setFormat(args->current()->string);

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list