[Webkit-unassigned] [Bug 20397] Invalid webkit-border-bottom-left-radius property causes crash
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Aug 20 09:53:55 PDT 2008
https://bugs.webkit.org/show_bug.cgi?id=20397
wilsong at gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #22895| |review?
Flag| |
------- Comment #4 from wilsong at gmail.com 2008-08-20 09:53 PDT -------
Created an attachment (id=22895)
--> (https://bugs.webkit.org/attachment.cgi?id=22895&action=view)
Possible fix for bug 20397
This small change may fix the problem.
When these CSS properties are being processed by the CSSParser, the parser
assumes that m_valueList->current is pointing at the start of the list. In the
case where there is a space between the number and unit ("1 px;"),
m_valueList->current is actually pointing at the second element of the list
("px" or whatever unit, assumedly). So when the parser automatically advances
to m_valueList->next, it's over the end of the list, dereferences a null value,
and bam!...crash-o-rama.
This fix checks that m_valueList->next exists. If so, it continues as it did
before. If not, it assumes that the list is already pointing at the end of the
list and continues without advancing the list with next().
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list