RESOLVED FIXED 94998
[Crash] Null pointer in CSSParser::parseMixFunction() 
https://bugs.webkit.org/show_bug.cgi?id=94998
Summary [Crash] Null pointer in CSSParser::parseMixFunction()
Michelangelo De Simone
Reported 2012-08-24 23:59:06 PDT
Crashes may arise within parseMixFunction() when the arguments of the mix() function are comma terminated.
Attachments
Patch (4.23 KB, patch)
2012-08-25 00:03 PDT, Michelangelo De Simone 		no flags
DetailsFormatted DiffDiff
Patch for landing (4.47 KB, patch)
2012-08-25 01:20 PDT, Michelangelo De Simone 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Michelangelo De Simone
Comment 1 2012-08-25 00:03:02 PDT
Created attachment 160555 [details] Patch
Benjamin Poulain
Comment 2 2012-08-25 01:12:25 PDT
Comment on attachment 160555 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=160555&action=review The patch looks correct. > Source/WebCore/ChangeLog:3 > + [Crash] Dangling pointer in CSSParser::parseMixFunction() The title need to be updated. > LayoutTests/css3/filters/script-tests/custom-filter-property-parsing-invalid.js:50 > +testInvalidFilterRule("Mix function with comma terminator", "custom(none mix(url(shader), multiply clear,))"); I would also have the minimum parsing that would lead to the crash. probably: mix(,).
Michelangelo De Simone
Comment 3 2012-08-25 01:20:12 PDT
Created attachment 160556 [details] Patch for landing
WebKit Review Bot
Comment 4 2012-08-25 02:23:22 PDT
Comment on attachment 160556 [details] Patch for landing Clearing flags on attachment: 160556 Committed r126681: <http://trac.webkit.org/changeset/126681>
WebKit Review Bot
Comment 5 2012-08-25 02:23:26 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.