Ignore:
Timestamp:
Feb 8, 2021, 9:36:18 AM (4 years ago)
Author:
[email protected]
Message:

Null check document element in createGradient
https://bugs.webkit.org/show_bug.cgi?id=221378

Patch by Rob Buis <[email protected]> on 2021-02-08
Reviewed by Alex Christensen.

Source/WebCore:

The document element is not guaranteed to exist so null
check it before determining the root style.

Tests: fast/css/conic-gradient-no-document-element-crash.html

fast/css/linear-gradient-no-document-element-crash.html
fast/css/radial-gradient-no-document-element-crash.html

  • css/CSSGradientValue.cpp:

(WebCore::CSSLinearGradientValue::createGradient):
(WebCore::CSSRadialGradientValue::createGradient):
(WebCore::CSSConicGradientValue::createGradient):

LayoutTests:

Add tests for this.

  • fast/css/conic-gradient-no-document-element-crash-expected.txt: Added.
  • fast/css/conic-gradient-no-document-element-crash.html: Added.
  • fast/css/linear-gradient-no-document-element-crash-expected.txt: Added.
  • fast/css/linear-gradient-no-document-element-crash.html: Added.
  • fast/css/radial-gradient-no-document-element-crash-expected.txt: Added.
  • fast/css/radial-gradient-no-document-element-crash.html: Added.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/css/CSSGradientValue.cpp

    r264280 r272497  
    807807    ASSERT(!size.isEmpty());
    808808
    809     CSSToLengthConversionData conversionData(&renderer.style(), renderer.document().documentElement()->renderStyle(), renderer.parentStyle(), &renderer.view());
     809    const RenderStyle* rootStyle = nullptr;
     810    if (auto* documentElement = renderer.document().documentElement())
     811        rootStyle = documentElement->renderStyle();
     812
     813    CSSToLengthConversionData conversionData(&renderer.style(), rootStyle, renderer.parentStyle(), &renderer.view());
    810814
    811815    FloatPoint firstPoint;
     
    10561060    ASSERT(!size.isEmpty());
    10571061
    1058     CSSToLengthConversionData conversionData(&renderer.style(), renderer.document().documentElement()->renderStyle(), renderer.parentStyle(), &renderer.view());
     1062    const RenderStyle* rootStyle = nullptr;
     1063    if (auto* documentElement = renderer.document().documentElement())
     1064        rootStyle = documentElement->renderStyle();
     1065
     1066    CSSToLengthConversionData conversionData(&renderer.style(), rootStyle, renderer.parentStyle(), &renderer.view());
    10591067
    10601068    FloatPoint firstPoint = computeEndPoint(firstX(), firstY(), conversionData, size);
     
    12471255    ASSERT(!size.isEmpty());
    12481256
    1249     CSSToLengthConversionData conversionData(&renderer.style(), renderer.document().documentElement()->renderStyle(), renderer.parentStyle(), &renderer.view());
     1257    const RenderStyle* rootStyle = nullptr;
     1258    if (auto* documentElement = renderer.document().documentElement())
     1259        rootStyle = documentElement->renderStyle();
     1260
     1261    CSSToLengthConversionData conversionData(&renderer.style(), rootStyle, renderer.parentStyle(), &renderer.view());
    12501262
    12511263    FloatPoint centerPoint = computeEndPoint(firstX(), firstY(), conversionData, size);
Note: See TracChangeset for help on using the changeset viewer.