[Webkit-unassigned] [Bug 130542] New: Inline style allows numbers with scientific notations without further checking: assert!

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Mar 20 15:54:11 PDT 2014 

https://bugs.webkit.org/show_bug.cgi?id=130542

           Summary: Inline style allows numbers with scientific notations
                    without further checking: assert!
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: CSS
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: krit at webkit.org
                CC: koivisto at iki.fi, simon.fraser at apple.com,
                    akling at apple.com


Created an attachment (id=227349)
 --> (https://bugs.webkit.org/attachment.cgi?id=227349&action=review)
Example - assertion

The parsing for setting inline style with JS seems to differ from markup parsing. The following is interpreted as number with scientific notation: 2e500

The numbers seem not to be checked for overflow:

document.getElementsByTagName('div')[0].style.marginTop = '2e500px';

causes an ASSERT:

ASSERTION FAILED: std::isfinite(num)
CSSPrimitiveValue.cpp(259) : WebCore::CSSPrimitiveValue::CSSPrimitiveValue(double, WebCore::CSSPrimitiveValue::UnitTypes)
1   0x1059f0a30 WTFCrash
2   0x107548bec WebCore::CSSPrimitiveValue::CSSPrimitiveValue(double, WebCore::CSSPrimitiveValue::UnitTypes)
3   0x107548af5 WebCore::CSSPrimitiveValue::CSSPrimitiveValue(double, WebCore::CSSPrimitiveValue::UnitTypes)
4   0x10744e5d1 WebCore::CSSPrimitiveValue::create(double, WebCore::CSSPrimitiveValue::UnitTypes)
5   0x107593c94 WebCore::CSSValuePool::createValue(double, WebCore::CSSPrimitiveValue::UnitTypes)
6   0x1074edef5 WebCore::parseSimpleLengthValue(WebCore::MutableStyleProperties*, WebCore::CSSPropertyID, WTF::String const&, bool, WebCore::CSSParserMode)
7   0x1074edbd0 WebCore::CSSParser::parseValue(WebCore::MutableStyleProperties*, WebCore::CSSPropertyID, WTF::String const&, bool, WebCore::CSSParserMode, WebCore::StyleSheetContents*)
8   0x108db260f WebCore::MutableStyleProperties::setProperty(WebCore::CSSPropertyID, WTF::String const&, bool, WebCore::StyleSheetContents*)

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list