[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.22-985-g3c00f00
mitz at apple.com
mitz at apple.com
Wed Mar 17 18:36:42 UTC 2010
The following commit has been merged in the webkit-1.1 branch:
commit cff54398ae3871c6cf4d5a24cf846fb91453adbc
Author: mitz at apple.com <mitz at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Fri Mar 12 18:28:56 2010 +0000
<rdar://problem/7725534> CSSPrimitiveValue::parserValue() returns deleted memory
https://bugs.webkit.org/show_bug.cgi?id=20069
Reviewed by Darin Adler.
No test added, since with the CSS variables feature disabled, the pointer
to the freed memory is never dereferenced.
* css/CSSPrimitiveValue.cpp:
(WebCore::valueOrPropertyName): Changed to return a const AtomicString& from
a static table.
(WebCore::CSSPrimitiveValue::parserValue): Updated for the above change.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@55914 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index e82a653..818f874 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,5 +1,20 @@
2010-03-12 Dan Bernstein <mitz at apple.com>
+ Reviewed by Darin Adler.
+
+ <rdar://problem/7725534> CSSPrimitiveValue::parserValue() returns deleted memory
+ https://bugs.webkit.org/show_bug.cgi?id=20069
+
+ No test added, since with the CSS variables feature disabled, the pointer
+ to the freed memory is never dereferenced.
+
+ * css/CSSPrimitiveValue.cpp:
+ (WebCore::valueOrPropertyName): Changed to return a const AtomicString& from
+ a static table.
+ (WebCore::CSSPrimitiveValue::parserValue): Updated for the above change.
+
+2010-03-12 Dan Bernstein <mitz at apple.com>
+
Build fix.
* platform/chromium/PlatformKeyboardEventChromium.cpp:
diff --git a/WebCore/css/CSSPrimitiveValue.cpp b/WebCore/css/CSSPrimitiveValue.cpp
index 1f2c9ca..d373cc1 100644
--- a/WebCore/css/CSSPrimitiveValue.cpp
+++ b/WebCore/css/CSSPrimitiveValue.cpp
@@ -116,11 +116,30 @@ PassRefPtr<CSSPrimitiveValue> CSSPrimitiveValue::create(const String& value, Uni
return adoptRef(new CSSPrimitiveValue(value, type));
}
-static const char* valueOrPropertyName(int valueOrPropertyID)
+static const AtomicString& valueOrPropertyName(int valueOrPropertyID)
{
- if (const char* valueName = getValueName(valueOrPropertyID))
- return valueName;
- return getPropertyName(static_cast<CSSPropertyID>(valueOrPropertyID));
+ ASSERT_ARG(valueOrPropertyID, valueOrPropertyID >= 0);
+ ASSERT_ARG(valueOrPropertyID, valueOrPropertyID < numCSSValueKeywords || (valueOrPropertyID >= firstCSSProperty && valueOrPropertyID < firstCSSProperty + numCSSProperties));
+
+ if (valueOrPropertyID < 0)
+ return nullAtom;
+
+ if (valueOrPropertyID < numCSSValueKeywords) {
+ static AtomicString* cssValueKeywordStrings[numCSSValueKeywords];
+ if (!cssValueKeywordStrings[valueOrPropertyID])
+ cssValueKeywordStrings[valueOrPropertyID] = new AtomicString(getValueName(valueOrPropertyID));
+ return *cssValueKeywordStrings[valueOrPropertyID];
+ }
+
+ if (valueOrPropertyID >= firstCSSProperty && valueOrPropertyID < firstCSSProperty + numCSSProperties) {
+ static AtomicString* cssPropertyStrings[numCSSProperties];
+ int propertyIndex = valueOrPropertyID - firstCSSProperty;
+ if (!cssPropertyStrings[propertyIndex])
+ cssPropertyStrings[propertyIndex] = new AtomicString(getPropertyName(static_cast<CSSPropertyID>(valueOrPropertyID)));
+ return *cssPropertyStrings[propertyIndex];
+ }
+
+ return nullAtom;
}
// "ident" from the CSS tokenizer, minus backslash-escape sequences
@@ -930,7 +949,7 @@ CSSParserValue CSSPrimitiveValue::parserValue() const
break;
case CSS_IDENT: {
value.id = m_value.ident;
- String name = valueOrPropertyName(m_value.ident);
+ const AtomicString& name = valueOrPropertyName(m_value.ident);
value.string.characters = const_cast<UChar*>(name.characters());
value.string.length = name.length();
break;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list