Changeset 156222 in webkit for trunk/Source/WebCore/css/CSSParser.cpp

Timestamp:

Sep 20, 2013, 9:13:52 PM (12 years ago)

Author:

[email protected]

Message:

Bad cast from CSSInitialValue to CSSValueList
​https://bugs.webkit.org/show_bug.cgi?id=121729

Source/WebCore:

Reviewed by Beth Dakin.

Merge ​https://chromium.googlesource.com/chromium/blink/+/fcfaa51f9207b32cffe751c1a1380a921e464cbb

The issue was that we would cast to CSSValueList without checking
the type of the CSSValue. After this change, we use the ASSERT'ing
cast and explicitly check the type of the CSSValue before the cast.

Test: fast/css/crash-inherit-value-font-family.html

• css/CSSParser.cpp:

(WebCore::CSSParser::parseFontFaceValue):

LayoutTests:

Reviewed by Beth Dakin.

Add a regression test. This is not a merge since the test in the Blink change involves
superfluous execCommand calls.

• fast/css/crash-inherit-value-font-family-expected.txt: Added.
• fast/css/crash-inherit-value-font-family.html: Added.

File:

• trunk/Source/WebCore/css/CSSParser.cpp (modified) (1 diff)

trunk/Source/WebCore/css/CSSParser.cpp

@@ -1298 +1298 @@
     if (!parseValue(dummyStyle.get(), CSSPropertyFontFamily, string, false, CSSQuirksMode, 0))
         return 0;
-    return static_pointer_cast<CSSValueList>(dummyStyle->getPropertyCSSValue(CSSPropertyFontFamily));
+
+    RefPtr<CSSValue> fontFamily = dummyStyle->getPropertyCSSValue(CSSPropertyFontFamily);
+    if (!fontFamily->isValueList())
+        return 0; // FIXME: "initial" and "inherit" should be parsed as font names in the face attribute.
+    return static_pointer_cast<CSSValueList>(fontFamily.release());
 }