<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[209383] trunk/Source/WebCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/209383">209383</a></dd>
<dt>Author</dt> <dd>hyatt@apple.com</dd>
<dt>Date</dt> <dd>2016-12-05 20:34:51 -0800 (Mon, 05 Dec 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>[CSS Parser] Properly reject large numeric values
https://bugs.webkit.org/show_bug.cgi?id=165455
Reviewed by Zalan Bujtas.
The new parser clamped numeric values in both the slow and fast paths to the max
and min float values. The old parser simply allowed the values to be inf, and then
had std::isinf checks to reject.
Blink rejects also even though it clamps, but I could not discern the mechanism by
which they did so. Therefore I am changing the new parser to exactly match the old
parser. Numeric values are no longer clamped, but instead are allowed to be inf, and
isinf checks now exist in the new parser in the same places they do in the old parser.
* css/parser/CSSParserFastPaths.cpp:
(WebCore::parseSimpleLength):
(WebCore::parseSimpleLengthValue):
* css/parser/CSSParserToken.cpp:
(WebCore::CSSParserToken::CSSParserToken):
* css/parser/CSSPropertyParserHelpers.cpp:
(WebCore::CSSPropertyParserHelpers::consumeLength):
(WebCore::CSSPropertyParserHelpers::consumePercent):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorecssparserCSSParserFastPathscpp">trunk/Source/WebCore/css/parser/CSSParserFastPaths.cpp</a></li>
<li><a href="#trunkSourceWebCorecssparserCSSParserTokencpp">trunk/Source/WebCore/css/parser/CSSParserToken.cpp</a></li>
<li><a href="#trunkSourceWebCorecssparserCSSPropertyParserHelperscpp">trunk/Source/WebCore/css/parser/CSSPropertyParserHelpers.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (209382 => 209383)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-12-06 03:37:29 UTC (rev 209382)
+++ trunk/Source/WebCore/ChangeLog 2016-12-06 04:34:51 UTC (rev 209383)
</span><span class="lines">@@ -1,3 +1,28 @@
</span><ins>+2016-12-05 Dave Hyatt <hyatt@apple.com>
+
+ [CSS Parser] Properly reject large numeric values
+ https://bugs.webkit.org/show_bug.cgi?id=165455
+
+ Reviewed by Zalan Bujtas.
+
+ The new parser clamped numeric values in both the slow and fast paths to the max
+ and min float values. The old parser simply allowed the values to be inf, and then
+ had std::isinf checks to reject.
+
+ Blink rejects also even though it clamps, but I could not discern the mechanism by
+ which they did so. Therefore I am changing the new parser to exactly match the old
+ parser. Numeric values are no longer clamped, but instead are allowed to be inf, and
+ isinf checks now exist in the new parser in the same places they do in the old parser.
+
+ * css/parser/CSSParserFastPaths.cpp:
+ (WebCore::parseSimpleLength):
+ (WebCore::parseSimpleLengthValue):
+ * css/parser/CSSParserToken.cpp:
+ (WebCore::CSSParserToken::CSSParserToken):
+ * css/parser/CSSPropertyParserHelpers.cpp:
+ (WebCore::CSSPropertyParserHelpers::consumeLength):
+ (WebCore::CSSPropertyParserHelpers::consumePercent):
+
</ins><span class="cx"> 2016-12-05 Ricky Mondello <rmondello@apple.com>
</span><span class="cx">
</span><span class="cx"> STP 19 fails to launch on 16B255
</span></span></pre></div>
<a id="trunkSourceWebCorecssparserCSSParserFastPathscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/css/parser/CSSParserFastPaths.cpp (209382 => 209383)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/css/parser/CSSParserFastPaths.cpp 2016-12-06 03:37:29 UTC (rev 209382)
+++ trunk/Source/WebCore/css/parser/CSSParserFastPaths.cpp 2016-12-06 04:34:51 UTC (rev 209383)
</span><span class="lines">@@ -118,7 +118,6 @@
</span><span class="cx"> number = charactersToDouble(characters, length, &ok);
</span><span class="cx"> if (!ok)
</span><span class="cx"> return false;
</span><del>- number = clampTo<double>(number, -std::numeric_limits<float>::max(), std::numeric_limits<float>::max());
</del><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -151,6 +150,8 @@
</span><span class="cx">
</span><span class="cx"> if (number < 0 && !acceptsNegativeNumbers)
</span><span class="cx"> return nullptr;
</span><ins>+ if (std::isinf(number))
+ return nullptr;
</ins><span class="cx">
</span><span class="cx"> return CSSPrimitiveValue::create(number, unit);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorecssparserCSSParserTokencpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/css/parser/CSSParserToken.cpp (209382 => 209383)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/css/parser/CSSParserToken.cpp 2016-12-06 03:37:29 UTC (rev 209382)
+++ trunk/Source/WebCore/css/parser/CSSParserToken.cpp 2016-12-06 04:34:51 UTC (rev 209383)
</span><span class="lines">@@ -235,7 +235,7 @@
</span><span class="cx"> , m_unit(static_cast<unsigned>(CSSPrimitiveValue::UnitTypes::CSS_NUMBER))
</span><span class="cx"> {
</span><span class="cx"> ASSERT(type == NumberToken);
</span><del>- m_numericValue = clampTo<double>(numericValue, -std::numeric_limits<float>::max(), std::numeric_limits<float>::max());
</del><ins>+ m_numericValue = numericValue;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> CSSParserToken::CSSParserToken(CSSParserTokenType type, UChar32 start, UChar32 end)
</span></span></pre></div>
<a id="trunkSourceWebCorecssparserCSSPropertyParserHelperscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/css/parser/CSSPropertyParserHelpers.cpp (209382 => 209383)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/css/parser/CSSPropertyParserHelpers.cpp 2016-12-06 03:37:29 UTC (rev 209382)
+++ trunk/Source/WebCore/css/parser/CSSPropertyParserHelpers.cpp 2016-12-06 04:34:51 UTC (rev 209383)
</span><span class="lines">@@ -208,7 +208,7 @@
</span><span class="cx"> default:
</span><span class="cx"> return nullptr;
</span><span class="cx"> }
</span><del>- if (valueRange == ValueRangeNonNegative && token.numericValue() < 0)
</del><ins>+ if ((valueRange == ValueRangeNonNegative && token.numericValue() < 0) || std::isinf(token.numericValue()))
</ins><span class="cx"> return nullptr;
</span><span class="cx"> return CSSValuePool::singleton().createValue(range.consumeIncludingWhitespace().numericValue(), token.unitType());
</span><span class="cx"> }
</span><span class="lines">@@ -216,6 +216,8 @@
</span><span class="cx"> if (!shouldAcceptUnitlessValue(token.numericValue(), cssParserMode, unitless)
</span><span class="cx"> || (valueRange == ValueRangeNonNegative && token.numericValue() < 0))
</span><span class="cx"> return nullptr;
</span><ins>+ if (std::isinf(token.numericValue()))
+ return nullptr;
</ins><span class="cx"> CSSPrimitiveValue::UnitTypes unitType = CSSPrimitiveValue::UnitTypes::CSS_PX;
</span><span class="cx"> return CSSValuePool::singleton().createValue(range.consumeIncludingWhitespace().numericValue(), unitType);
</span><span class="cx"> }
</span><span class="lines">@@ -231,7 +233,7 @@
</span><span class="cx"> {
</span><span class="cx"> const CSSParserToken& token = range.peek();
</span><span class="cx"> if (token.type() == PercentageToken) {
</span><del>- if (valueRange == ValueRangeNonNegative && token.numericValue() < 0)
</del><ins>+ if ((valueRange == ValueRangeNonNegative && token.numericValue() < 0) || std::isinf(token.numericValue()))
</ins><span class="cx"> return nullptr;
</span><span class="cx"> return CSSValuePool::singleton().createValue(range.consumeIncludingWhitespace().numericValue(), CSSPrimitiveValue::UnitTypes::CSS_PERCENTAGE);
</span><span class="cx"> }
</span></span></pre>
</div>
</div>
</body>
</html>