Bug 94998 - [Crash] Null pointer in CSSParser::parseMixFunction()
Summary: [Crash] Null pointer in CSSParser::parseMixFunction()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: CSS (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P1 Major
Assignee: Michelangelo De Simone
URL:
Keywords:
Depends on:
Blocks: 71446
  Show dependency treegraph
 
Reported: 2012-08-24 23:59 PDT by Michelangelo De Simone
Modified: 2012-08-25 02:23 PDT (History)
6 users (show)

See Also:

Attachments
Patch (4.23 KB, patch)
2012-08-25 00:03 PDT, Michelangelo De Simone 		no flags Details | Formatted Diff | Diff
Patch for landing (4.47 KB, patch)
2012-08-25 01:20 PDT, Michelangelo De Simone 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michelangelo De Simone 2012-08-24 23:59:06 PDT 
Crashes may arise within parseMixFunction() when the arguments of the mix() function are comma terminated.
Comment 1 Michelangelo De Simone 2012-08-25 00:03:02 PDT 
Created attachment 160555 [details]
Patch
Comment 2 Benjamin Poulain 2012-08-25 01:12:25 PDT 
Comment on attachment 160555 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=160555&action=review

The patch looks correct.

> Source/WebCore/ChangeLog:3
> +        [Crash] Dangling pointer in CSSParser::parseMixFunction()

The title need to be updated.

> LayoutTests/css3/filters/script-tests/custom-filter-property-parsing-invalid.js:50
> +testInvalidFilterRule("Mix function with comma terminator", "custom(none mix(url(shader), multiply clear,))");

I would also have the minimum parsing that would lead to the crash. probably: mix(,).
Comment 3 Michelangelo De Simone 2012-08-25 01:20:12 PDT 
Created attachment 160556 [details]
Patch for landing
Comment 4 WebKit Review Bot 2012-08-25 02:23:22 PDT 
Comment on attachment 160556 [details]
Patch for landing

Clearing flags on attachment: 160556

Committed r126681: <http://trac.webkit.org/changeset/126681>
Comment 5 WebKit Review Bot 2012-08-25 02:23:26 PDT 
All reviewed patches have been landed.  Closing bug.