[Webkit-unassigned] [Bug 93380] New: Crash when inspecting an element with border-image
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Aug 7 11:35:31 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=93380
Summary: Crash when inspecting an element with border-image
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: CSS
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: apavlov at chromium.org
In the following document:
<html>
<head>
<style>
div {
border-image: url(images/shadow-border.png) stretch 10;
}
</style>
</head>
<body>
<div>FOO</div>
</body>
</html>
Inspect the FOO div. A crash.
The crashing line:
case CSS_PAIR:
text = m_value.pair->first()->cssText();
if (m_value.pair->second() != m_value.pair->first()) {
text += " ";
text += m_value.pair->second()->cssText(); // <-------------
}
This is due to CSSParser::parseBorderImageRepeat(RefPtr<CSSValue>& result)
building a CSSPair with second() equal to 0 (last else-branch inside "if (val)" does not initialize secondValue).
Upstreaming http://crbug.com/141139
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list