[webkit-changes] [125243] trunk

[macpherson]

Title: [125243] trunk

Revision

125243

Author

macpher...@chromium.org

Date

2012-08-09 20:37:03 -0700 (Thu, 09 Aug 2012)

Log Message

Fix null pointer deref in RenderFileUploadControl::computePreferredLogicalWidth().
https://bugs.webkit.org/show_bug.cgi?id=93579

Reviewed by Kent Tamura.

Source/WebCore:

Checks the upload control has a non-null button renderer before dereferencing.

Test: fast/forms/file/file-crash-by-display-none-button.html

* rendering/RenderFileUploadControl.cpp:
(WebCore::RenderFileUploadControl::computePreferredLogicalWidths):

LayoutTests:

Exercise code path that causes an upload button to exist without a renderer.

* fast/forms/file/file-crash-by-display-none-button.html: Added.
* fast/forms/file/file-crash-by-display-none-button-expected.txt: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/rendering/RenderFileUploadControl.cpp

Added Paths

• trunk/LayoutTests/fast/forms/file/file-crash-by-display-none-button-expected.txt
• trunk/LayoutTests/fast/forms/file/file-crash-by-display-none-button.html

Diff

Modified: trunk/LayoutTests/ChangeLog (125242 => 125243)

--- trunk/LayoutTests/ChangeLog	2012-08-10 03:05:10 UTC (rev 125242)
+++ trunk/LayoutTests/ChangeLog	2012-08-10 03:37:03 UTC (rev 125243)
@@ -1,3 +1,15 @@
+2012-08-09  Luke Macpherson   <macpher...@chromium.org>
+
+        Fix null pointer deref in RenderFileUploadControl::computePreferredLogicalWidth().
+        https://bugs.webkit.org/show_bug.cgi?id=93579
+
+        Reviewed by Kent Tamura.
+
+        Exercise code path that causes an upload button to exist without a renderer.
+
+        * fast/forms/file/file-crash-by-display-none-button.html: Added.
+        * fast/forms/file/file-crash-by-display-none-button-expected.txt: Added.
+
 2012-08-09  Yuta Kitamura  <yu...@chromium.org>
 
         Unreviewed. Remove duplicate test expectation entry causing a lint error.

Added: trunk/LayoutTests/fast/forms/file/file-crash-by-display-none-button-expected.txt (0 => 125243)

--- trunk/LayoutTests/fast/forms/file/file-crash-by-display-none-button-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/forms/file/file-crash-by-display-none-button-expected.txt	2012-08-10 03:37:03 UTC (rev 125243)
@@ -0,0 +1 @@
+This test is successful it it does not crash. 

Added: trunk/LayoutTests/fast/forms/file/file-crash-by-display-none-button.html (0 => 125243)

--- trunk/LayoutTests/fast/forms/file/file-crash-by-display-none-button.html	                        (rev 0)
+++ trunk/LayoutTests/fast/forms/file/file-crash-by-display-none-button.html	2012-08-10 03:37:03 UTC (rev 125243)
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<script>
+    if (window.internals)
+        testRunner.dumpAsText();
+</script>
+<style>
+input::-webkit-file-upload-button { display: none; }
+</style>
+This test is successful it it does not crash.
+<input type="file"/>
+

Modified: trunk/Source/WebCore/ChangeLog (125242 => 125243)

--- trunk/Source/WebCore/ChangeLog	2012-08-10 03:05:10 UTC (rev 125242)
+++ trunk/Source/WebCore/ChangeLog	2012-08-10 03:37:03 UTC (rev 125243)
@@ -1,3 +1,17 @@
+2012-08-09  Luke Macpherson   <macpher...@chromium.org>
+
+        Fix null pointer deref in RenderFileUploadControl::computePreferredLogicalWidth().
+        https://bugs.webkit.org/show_bug.cgi?id=93579
+
+        Reviewed by Kent Tamura.
+
+        Checks the upload control has a non-null button renderer before dereferencing.
+
+        Test: fast/forms/file/file-crash-by-display-none-button.html
+
+        * rendering/RenderFileUploadControl.cpp:
+        (WebCore::RenderFileUploadControl::computePreferredLogicalWidths):
+
 2012-08-09  Kentaro Hara  <hara...@chromium.org>
 
         [V8] Rename V8BindingPerContextData to V8PerContextData

Modified: trunk/Source/WebCore/rendering/RenderFileUploadControl.cpp (125242 => 125243)

--- trunk/Source/WebCore/rendering/RenderFileUploadControl.cpp	2012-08-10 03:05:10 UTC (rev 125242)
+++ trunk/Source/WebCore/rendering/RenderFileUploadControl.cpp	2012-08-10 03:37:03 UTC (rev 125243)
@@ -194,7 +194,8 @@
         const String label = theme()->fileListDefaultLabel(node()->toInputElement()->multiple());
         float defaultLabelWidth = font.width(constructTextRun(this, font, label, style, TextRun::AllowTrailingExpansion));
         if (HTMLInputElement* button = uploadButton())
-            defaultLabelWidth += button->renderer()->maxPreferredLogicalWidth() + afterButtonSpacing;
+            if (RenderObject* buttonRenderer = button->renderer())
+                defaultLabelWidth += buttonRenderer->maxPreferredLogicalWidth() + afterButtonSpacing;
         m_maxPreferredLogicalWidth = static_cast<int>(ceilf(max(minDefaultLabelWidth, defaultLabelWidth)));
     }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes