Title: [94215] trunk
- Revision
- 94215
- Author
- [email protected]
- Date
- 2011-08-31 12:12:36 -0700 (Wed, 31 Aug 2011)
Log Message
Crash with -webkit-radial-gradient(top) gradient
https://bugs.webkit.org/show_bug.cgi?id=66686
Source/WebCore:
Reviewed by Darin Adler.
Null-check the current value after calling parseFillPosition(),
since it may be null for gradients with degenerate arguments.
Test: fast/gradients/css3-radial-gradient-crash.html
* css/CSSParser.cpp:
(WebCore::CSSParser::parseRadialGradient):
LayoutTests:
Reviewed by Darin Adler.
Test case with degenerate arguments in a radial gradient.
* fast/gradients/css3-radial-gradient-crash-expected.txt: Added.
* fast/gradients/css3-radial-gradient-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (94214 => 94215)
--- trunk/LayoutTests/ChangeLog 2011-08-31 19:08:24 UTC (rev 94214)
+++ trunk/LayoutTests/ChangeLog 2011-08-31 19:12:36 UTC (rev 94215)
@@ -1,3 +1,15 @@
+2011-08-31 Simon Fraser <[email protected]>
+
+ Crash with -webkit-radial-gradient(top) gradient
+ https://bugs.webkit.org/show_bug.cgi?id=66686
+
+ Reviewed by Darin Adler.
+
+ Test case with degenerate arguments in a radial gradient.
+
+ * fast/gradients/css3-radial-gradient-crash-expected.txt: Added.
+ * fast/gradients/css3-radial-gradient-crash.html: Added.
+
2011-08-31 Nate Chapin <[email protected]>
Test updates for https://bugs.webkit.org/show_bug.cgi?id=30303.
Added: trunk/LayoutTests/fast/gradients/css3-radial-gradient-crash-expected.txt (0 => 94215)
--- trunk/LayoutTests/fast/gradients/css3-radial-gradient-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/gradients/css3-radial-gradient-crash-expected.txt 2011-08-31 19:12:36 UTC (rev 94215)
@@ -0,0 +1,3 @@
+This test should not crash.
+
+
Property changes on: trunk/LayoutTests/fast/gradients/css3-radial-gradient-crash-expected.txt
___________________________________________________________________
Added: svn:mime-type
Added: svn:keywords
Added: svn:eol-style
Added: trunk/LayoutTests/fast/gradients/css3-radial-gradient-crash.html (0 => 94215)
--- trunk/LayoutTests/fast/gradients/css3-radial-gradient-crash.html (rev 0)
+++ trunk/LayoutTests/fast/gradients/css3-radial-gradient-crash.html 2011-08-31 19:12:36 UTC (rev 94215)
@@ -0,0 +1,11 @@
+<head>
+<script>
+if (window.layoutTestController)
+ window.layoutTestController.dumpAsText();
+</script>
+</head>
+<body>
+<p>This test should not crash.</p>
+<div style="height: 10px; width: 10px; background-image: -webkit-radial-gradient(top)"></div>
+</body>
+
Property changes on: trunk/LayoutTests/fast/gradients/css3-radial-gradient-crash.html
___________________________________________________________________
Added: svn:mime-type
Added: svn:keywords
Added: svn:eol-style
Modified: trunk/Source/WebCore/ChangeLog (94214 => 94215)
--- trunk/Source/WebCore/ChangeLog 2011-08-31 19:08:24 UTC (rev 94214)
+++ trunk/Source/WebCore/ChangeLog 2011-08-31 19:12:36 UTC (rev 94215)
@@ -1,3 +1,18 @@
+2011-08-31 Simon Fraser <[email protected]>
+
+ Crash with -webkit-radial-gradient(top) gradient
+ https://bugs.webkit.org/show_bug.cgi?id=66686
+
+ Reviewed by Darin Adler.
+
+ Null-check the current value after calling parseFillPosition(),
+ since it may be null for gradients with degenerate arguments.
+
+ Test: fast/gradients/css3-radial-gradient-crash.html
+
+ * css/CSSParser.cpp:
+ (WebCore::CSSParser::parseRadialGradient):
+
2011-08-31 Nico Weber <[email protected]>
Make ScrollAnimator(Chromium)?Mac check scrollAnimatorEnabled()
Modified: trunk/Source/WebCore/css/CSSParser.cpp (94214 => 94215)
--- trunk/Source/WebCore/css/CSSParser.cpp 2011-08-31 19:08:24 UTC (rev 94214)
+++ trunk/Source/WebCore/css/CSSParser.cpp 2011-08-31 19:12:36 UTC (rev 94215)
@@ -5751,6 +5751,8 @@
// parseFillPosition advances the args next pointer.
parseFillPosition(args, centerX, centerY);
a = args->current();
+ if (!a)
+ return false;
if (centerX || centerY) {
// Comma
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
