[webkit-reviews] review requested: [Bug 20397] Invalid webkit-border-bottom-left-radius property causes crash : [Attachment 22895] Possible fix for bug 20397
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Aug 20 09:53:55 PDT 2008
Glenn Wilson <wilsong at gmail.com> has asked for review:
Bug 20397: Invalid webkit-border-bottom-left-radius property causes crash
https://bugs.webkit.org/show_bug.cgi?id=20397
Attachment 22895: Possible fix for bug 20397
https://bugs.webkit.org/attachment.cgi?id=22895&action=edit
------- Additional Comments from Glenn Wilson <wilsong at gmail.com>
This small change may fix the problem.
When these CSS properties are being processed by the CSSParser, the parser
assumes that m_valueList->current is pointing at the start of the list. In the
case where there is a space between the number and unit ("1 px;"),
m_valueList->current is actually pointing at the second element of the list
("px" or whatever unit, assumedly). So when the parser automatically advances
to m_valueList->next, it's over the end of the list, dereferences a null value,
and bam!...crash-o-rama.
This fix checks that m_valueList->next exists. If so, it continues as it did
before. If not, it assumes that the list is already pointing at the end of the
list and continues without advancing the list with next().
More information about the webkit-reviews
mailing list