48389 2010-10-26 17:09:09 -0700 REGRESSION(r67170): crash in removeImplicitlyStyledElement 2010-10-27 17:31:02 -0700 1 1 1 Unclassified WebKit HTML Editing 528+ (Nightly build) All All RESOLVED FIXED HasReduction P1 Normal --- 1 rniwa rniwa enrica eric ojan tony oldest_to_newest 299901 0 rniwa 2010-10-26 17:09:09 -0700 The crash occurs in the following lines of removeImplicitlyStyledElement when mapValue is null and extractedStyle is not null: if (extractedStyle) extractedStyle->setProperty(equivalent.propertyID, mapValue->cssText()); 299902 1 71967 rniwa 2010-10-26 17:09:33 -0700 Created attachment 71967 demo 299906 2 rniwa 2010-10-26 17:19:07 -0700 http://crbug.com/59992 299908 3 71969 rniwa 2010-10-26 17:20:46 -0700 Created attachment 71969 fixes the crash 299909 4 71969 tkent 2010-10-26 17:21:42 -0700 Comment on attachment 71969 fixes the crash ok 299910 5 rniwa 2010-10-26 17:23:26 -0700 (In reply to comment #4) > (From update of attachment 71969 [details]) > ok wow, that was really quick! I'll appreciate if you can take a look at https://bugs.webkit.org/show_bug.cgi?id=48349 since it's a security bug. I just cc-ed you on the bug. 299915 6 rniwa 2010-10-26 17:44:07 -0700 Thanks for the review, Kent. Landed as http://trac.webkit.org/changeset/70593. 71967 2010-10-26 17:09:33 -0700 2010-10-26 17:09:33 -0700 demo invalid-font-size.html text/html 269 rniwa PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8Ym9keT4KPGRpdiBpZD0idGVzdCIgY29udGVudGVkaXRh YmxlPjxmb250IHNpemU9IngiPmhlbGxvPC9mb250PjwvZGl2Pgo8c2NyaXB0PgoKdmFyIHRlc3Qg PSBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgndGVzdCcpOwp3aW5kb3cuZ2V0U2VsZWN0aW9uKCku c2VsZWN0QWxsQ2hpbGRyZW4odGVzdCk7CmRvY3VtZW50LmV4ZWNDb21tYW5kKCdmb250U2l6ZScs IGZhbHNlLCAnNCcpOwoKPC9zY3JpcHQ+CjwvYm9keT4KPC9odG1sPgo= 71969 2010-10-26 17:20:46 -0700 2010-10-26 17:21:42 -0700 fixes the crash bug-48389-20101026172045.patch text/plain 3503 rniwa SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA3MDU5MSkKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTcgQEAKKzIwMTAtMTAtMjYgIFJ5b3N1a2UgTml3YSAgPHJuaXdhQHdlYmtpdC5v cmc+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgUkVH UkVTU0lPTihyNjcxNzApOiBjcmFzaCBpbiByZW1vdmVJbXBsaWNpdGx5U3R5bGVkRWxlbWVudAor ICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9NDgzODkKKwor ICAgICAgICBGaXhlZCB0aGUgY3Jhc2ggYnkgYWRkaW5nIGEgbnVsbCBwb2ludGVyIGNoZWNrLgor CisgICAgICAgIFRlc3Q6IGVkaXRpbmcvc3R5bGUvaW52YWxpZC1mb250LXNpemUuaHRtbAorCisg ICAgICAgICogZWRpdGluZy9BcHBseVN0eWxlQ29tbWFuZC5jcHA6CisgICAgICAgIChXZWJDb3Jl OjpBcHBseVN0eWxlQ29tbWFuZDo6cmVtb3ZlSW1wbGljaXRseVN0eWxlZEVsZW1lbnQpOgorCiAy MDEwLTEwLTI2ICBEaW1pdHJpIEdsYXprb3YgIDxkZ2xhemtvdkBjaHJvbWl1bS5vcmc+CiAKICAg ICAgICAgVW5yZXZpZXdlZCwgcm9sbGluZyBvdXQgcjcwNTczLgpJbmRleDogV2ViQ29yZS9lZGl0 aW5nL0FwcGx5U3R5bGVDb21tYW5kLmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBXZWJDb3JlL2VkaXRpbmcv QXBwbHlTdHlsZUNvbW1hbmQuY3BwCShyZXZpc2lvbiA3MDUwNikKKysrIFdlYkNvcmUvZWRpdGlu Zy9BcHBseVN0eWxlQ29tbWFuZC5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTEzNjAsNyArMTM2MCw3 IEBAIGJvb2wgQXBwbHlTdHlsZUNvbW1hbmQ6OnJlbW92ZUltcGxpY2l0bHkKICAgICAgICAgICAg ICAgICBjb250aW51ZTsgLy8gSWYgQ1NTIHZhbHVlIGlzIHByaW1pdGl2ZSwgdGhlbiBza2lwIGlm IHRoZXkgYXJlIGVxdWFsLgogICAgICAgICB9CiAKLSAgICAgICAgaWYgKGV4dHJhY3RlZFN0eWxl KQorICAgICAgICBpZiAoZXh0cmFjdGVkU3R5bGUgJiYgbWFwVmFsdWUpCiAgICAgICAgICAgICBl eHRyYWN0ZWRTdHlsZS0+c2V0UHJvcGVydHkoZXF1aXZhbGVudC5wcm9wZXJ0eUlELCBtYXBWYWx1 ZS0+Y3NzVGV4dCgpKTsKIAogICAgICAgICBpZiAobW9kZSA9PSBSZW1vdmVOb25lKQpJbmRleDog TGF5b3V0VGVzdHMvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExheW91dFRlc3RzL0NoYW5nZUxv ZwkocmV2aXNpb24gNzA1OTEpCisrKyBMYXlvdXRUZXN0cy9DaGFuZ2VMb2cJKHdvcmtpbmcgY29w eSkKQEAgLTEsMyArMSwxNiBAQAorMjAxMC0xMC0yNiAgUnlvc3VrZSBOaXdhICA8cm5pd2FAd2Vi a2l0Lm9yZz4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAg ICBSRUdSRVNTSU9OKHI2NzE3MCk6IGNyYXNoIGluIHJlbW92ZUltcGxpY2l0bHlTdHlsZWRFbGVt ZW50CisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD00ODM4 OQorCisgICAgICAgIEFkZGVkIGEgdGVzdCB0byBlbnN1cmUgV2ViS2l0IGRvZXMgbm90IGNyYXNo IHdoZW4gY2hhbmdpbmcgdGhlIGZvbnQgc2l6ZQorICAgICAgICBvZiB0ZXh0IGluc2lkZSBhIGZv bnQgZWxlbWVudCB3aXRoIGFuIGludmFsaWQgc2l6ZSBhdHRyaWJ1dGUuCisKKyAgICAgICAgKiBl ZGl0aW5nL3N0eWxlL2ludmFsaWQtZm9udC1zaXplLWV4cGVjdGVkLnR4dDogQWRkZWQuCisgICAg ICAgICogZWRpdGluZy9zdHlsZS9pbnZhbGlkLWZvbnQtc2l6ZS5odG1sOiBBZGRlZC4KKwogMjAx MC0xMC0yNiAgU3RlcGhlbiBXaGl0ZSAgPHNlbm9yYmxhbmNvQGNocm9taXVtLm9yZz4KIAogICAg ICAgICBSZXZpZXdlZCBieSBLZW5uZXRoIFJ1c3NlbGwuCkluZGV4OiBMYXlvdXRUZXN0cy9lZGl0 aW5nL3N0eWxlL2ludmFsaWQtZm9udC1zaXplLWV4cGVjdGVkLnR4dAo9PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBM YXlvdXRUZXN0cy9lZGl0aW5nL3N0eWxlL2ludmFsaWQtZm9udC1zaXplLWV4cGVjdGVkLnR4dAko cmV2aXNpb24gMCkKKysrIExheW91dFRlc3RzL2VkaXRpbmcvc3R5bGUvaW52YWxpZC1mb250LXNp emUtZXhwZWN0ZWQudHh0CShyZXZpc2lvbiAwKQpAQCAtMCwwICsxLDYgQEAKK1RoaXMgdGVzdHMg YXBwbHlpbmcgZm9udCBzaXplIHRvIHRleHQgaW5zaWRlIGEgZm9udCBlbGVtZW50IHdpdGggYW4g aW52YWxpZCBzaXplIGF0dHJpYnV0ZS4KK1dlYktpdCBzaG91bGQgbm90IGNyYXNoIGFuZCB0aGVy ZSBzaG91bGQgYmUgZXhhY3RseSBvbmUgZm9udCBlbGVtZW50IHdpdGggc2l6ZT0iNCIKK3wgPGZv bnQ+Cit8ICAgY2xhc3M9IkFwcGxlLXN0eWxlLXNwYW4iCit8ICAgc2l6ZT0iNCIKK3wgICAiPCNz ZWxlY3Rpb24tYW5jaG9yPmhlbGxvPCNzZWxlY3Rpb24tZm9jdXM+IgpJbmRleDogTGF5b3V0VGVz dHMvZWRpdGluZy9zdHlsZS9pbnZhbGlkLWZvbnQtc2l6ZS5odG1sCj09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExh eW91dFRlc3RzL2VkaXRpbmcvc3R5bGUvaW52YWxpZC1mb250LXNpemUuaHRtbAkocmV2aXNpb24g MCkKKysrIExheW91dFRlc3RzL2VkaXRpbmcvc3R5bGUvaW52YWxpZC1mb250LXNpemUuaHRtbAko cmV2aXNpb24gMCkKQEAgLTAsMCArMSwxNyBAQAorPCFET0NUWVBFIGh0bWw+Cis8aHRtbD4KKzxi b2R5PgorPHNjcmlwdCBzcmM9Ii4uLy4uL3Jlc291cmNlcy9kdW1wLWFzLW1hcmt1cC5qcyI+PC9z Y3JpcHQ+Cis8ZGl2IGlkPSJ0ZXN0IiBjb250ZW50ZWRpdGFibGU+PGZvbnQgc2l6ZT0ieCI+aGVs bG88L2ZvbnQ+PC9kaXY+Cis8c2NyaXB0PgorCitNYXJrdXAuZGVzY3JpcHRpb24oJ1RoaXMgdGVz dHMgYXBwbHlpbmcgZm9udCBzaXplIHRvIHRleHQgaW5zaWRlIGEgZm9udCBlbGVtZW50IHdpdGgg YW4gaW52YWxpZCBzaXplIGF0dHJpYnV0ZS5cbicgKyAKKydXZWJLaXQgc2hvdWxkIG5vdCBjcmFz aCBhbmQgdGhlcmUgc2hvdWxkIGJlIGV4YWN0bHkgb25lIGZvbnQgZWxlbWVudCB3aXRoIHNpemU9 IjQiJykKK3ZhciB0ZXN0ID0gZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ3Rlc3QnKTsKK3dpbmRv dy5nZXRTZWxlY3Rpb24oKS5zZWxlY3RBbGxDaGlsZHJlbih0ZXN0KTsKK2RvY3VtZW50LmV4ZWND b21tYW5kKCdmb250U2l6ZScsIGZhbHNlLCAnNCcpOworTWFya3VwLmR1bXAodGVzdCk7CisKKzwv c2NyaXB0PgorPC9ib2R5PgorPC9odG1sPgo=