commit 6625ae59e45b05ee492d8bcefb2291571da617f6
author mrowe@apple.com <mrowe@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Wed Sep 03 06:12:30 2008 +0000
committer mrowe@apple.com <mrowe@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Wed Sep 03 06:12:30 2008 +0000
tree 06cddaddb0c0098ee6aa34e99c6d4744027f08a3
parent c3e1bcc4cfc4eb30773c8c070d9fc1faf12e1415

2008-09-02  Glenn Wilson  <wilsong@gmail.com>

        Reviewed by Eric Seidel.

        Fix https://bugs.webkit.org/show_bug.cgi?id=20397
        Bug 20397: Invalid webkit-border-bottom-left-radius property causes crash

        The function checkForOrphanedUnits() would change the length of a list whose size was
        was already determined before the call to checkForOrphanedUnits was made.  Later in
        the caller, the old size was being used for boundary management.

        This has been fixed by moving the call to checkForOrphanedUnits() earlier in the
        calling function, before the size of the list is determined.

        Test: fast/css/orphaned_units_crash.html

        * css/CSSParser.cpp:
        (WebCore::CSSParser::parseValue):  Moved call to checkForOrphanedUnits() earlier in the function.

2008-09-02  Glenn Wilson  <wilsong@gmail.com>

        Reviewed by Eric Seidel.

        Tests for https://bugs.webkit.org/show_bug.cgi?id=20397
        Bug 20397: Invalid webkit-border-bottom-left-radius property causes crash

        Added new tests to check whether an orphaned unit identifier in particular
        CSS attributes will crash the browser.

        * fast/css/orphaned_units_crash-expected.txt: Added.
        * fast/css/orphaned_units_crash.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@36046 268f45cc-cd09-0410-ab3c-d52691b4dbfc