[Webkit-unassigned] [Bug 105275] New: CSSParser crases, when no context is available, and the value is a valid keyword

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Dec 18 03:40:07 PST 2012 

https://bugs.webkit.org/show_bug.cgi?id=105275

           Summary: CSSParser crases, when no context is available, and
                    the value is a valid keyword
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: CSS
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: reni at webkit.org
                CC: koivisto at iki.fi, zimmermann at kde.org, tony at chromium.org


My SVGFuzzer crashes on this svg test:

<svg xmlns="http://www.w3.org/2000/svg">
    <circle>
        <animate attributeName="display" to="bevel"></animate>
    </circle>
</svg>


The crash comes from the CSSParser.
StylePropertySet::setProperty was called with 0 (what is 0 by default too) contextStyleSheet from SVGAnimateElement. This zero was propageted to CSSParser::isValidKeywordPropertyAndValue() where parserContext.isCSSGridLayoutEnabled was NULL too and caused a segfault.


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff3d05012 in isValidKeywordPropertyAndValue (propertyId=WebCore::CSSPropertyDisplay, valueID=724, parserContext=...)
    at /home/reni/WebKit-git/Source/WebCore/css/CSSParser.cpp:632
632            if (parserContext.isCSSGridLayoutEnabled && (valueID == CSSValueWebkitGrid || valueID == CSSValueWebkitInlineGrid))
(gdb) bt 8 
#0  0x00007ffff3d05012 in isValidKeywordPropertyAndValue (propertyId=WebCore::CSSPropertyDisplay, valueID=724, parserContext=...)
    at /home/reni/WebKit-git/Source/WebCore/css/CSSParser.cpp:632
#1  0x00007ffff3d06119 in parseKeywordValue (declaration=0x9926f0, propertyId=WebCore::CSSPropertyDisplay, string=..., important=false, parserContext=...)
    at /home/reni/WebKit-git/Source/WebCore/css/CSSParser.cpp:1119
#2  0x00007ffff3d0690a in WebCore::CSSParser::parseValue (declaration=0x9926f0, propertyID=WebCore::CSSPropertyDisplay, string=..., important=false, 
    cssParserMode=WebCore::SVGAttributeMode, contextStyleSheet=0x0) at /home/reni/WebKit-git/Source/WebCore/css/CSSParser.cpp:1232
#3  0x00007ffff3e01d11 in WebCore::StylePropertySet::setProperty (this=0x9926f0, propertyID=WebCore::CSSPropertyDisplay, value=..., important=false, 
    contextStyleSheet=0x0) at /home/reni/WebKit-git/Source/WebCore/css/StylePropertySet.cpp:661
#4  0x00007ffff4ac098d in applyCSSPropertyToTarget (targetElement=0x98c0c0, id=WebCore::CSSPropertyDisplay, value=...)
    at /home/reni/WebKit-git/Source/WebCore/svg/SVGAnimateElement.cpp:242
#5  0x00007ffff4ac0b4a in applyCSSPropertyToTargetAndInstances (targetElement=0x98c0c0, attributeName=..., valueAsString=...)
    at /home/reni/WebKit-git/Source/WebCore/svg/SVGAnimateElement.cpp:264
#6  0x00007ffff4ac129f in WebCore::SVGAnimateElement::applyResultsToTarget (this=0x9985b0) at /home/reni/WebKit-git/Source/WebCore/svg/SVGAnimateElement.cpp:359
#7  0x00007ffff4a5e516 in WebCore::SMILTimeContainer::updateAnimations (this=0x96a280, elapsed=..., seekToTime=false)
    at /home/reni/WebKit-git/Source/WebCore/svg/animation/SMILTimeContainer.cpp:319
(More stack frames follow...)

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list