Google Git
Sign in
chromium / chromium / blink / fcfaa51f9207b32cffe751c1a1380a921e464cbb^! / .
commitfcfaa51f9207b32cffe751c1a1380a921e464cbb[log] [tgz]
authorjchaffraix@chromium.org <jchaffraix@chromium.org@bbb929c8-8fbe-4397-9dbb-9b2b20218538>Thu Sep 05 01:24:30 2013
committerjchaffraix@chromium.org <jchaffraix@chromium.org@bbb929c8-8fbe-4397-9dbb-9b2b20218538>Thu Sep 05 01:24:30 2013
tree4b36619f69d036925a751d5fd65d915b1836610a
parentd518368a8a7424cd1b599b8b16bde834d8508b2e [diff]
ASSERT: Bad cast from CSSInitialValue to CSSValueList

The issue was that we would cast to CSSValueList without checking
the type of the CSSValue. After this change, we use the ASSERT'ing
cast and explicitly check the type of the CSSValue before the cast.

BUG=279286

Review URL: https://chromiumcodereview.appspot.com/23604036

git-svn-id: svn://svn.chromium.org/blink/trunk@157255 bbb929c8-8fbe-4397-9dbb-9b2b20218538

diff --git a/LayoutTests/fast/css/crash-inherit-value-font-family-expected.txt b/LayoutTests/fast/css/crash-inherit-value-font-family-expected.txt
new file mode 100644
index 0000000..566a0a8
--- /dev/null
+++ b/LayoutTests/fast/css/crash-inherit-value-font-family-expected.txt

@@ -0,0 +1,2 @@
+crbug.com/279286: ASSERT: Bad cast from CSSInitialValue to CSSValueList
+This test has passed if it doesn't crash

diff --git a/LayoutTests/fast/css/crash-inherit-value-font-family.html b/LayoutTests/fast/css/crash-inherit-value-font-family.html
new file mode 100644
index 0000000..100a041
--- /dev/null
+++ b/LayoutTests/fast/css/crash-inherit-value-font-family.html

@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<body>
+<var style="float: right; -webkit-border-before: groove; font-family: inherit"></var>
+
+<script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+
+    document.body.offsetTop;
+    document.designMode="on";
+    document.execCommand("SelectAll");
+    document.execCommand("InsertImage", false);
+    document.execCommand("InsertOrderedList");
+    document.body.innerHTML = "crbug.com/279286: ASSERT: Bad cast from CSSInitialValue to CSSValueList<br>This test has passed if it doesn't crash";
+</script>

diff --git a/Source/core/css/CSSParser-in.cpp b/Source/core/css/CSSParser-in.cpp
index 4abb350..9a472db 100644
--- a/Source/core/css/CSSParser-in.cpp
+++ b/Source/core/css/CSSParser-in.cpp

@@ -1148,7 +1148,12 @@
     RefPtr<MutableStylePropertySet> dummyStyle = MutableStylePropertySet::create();
     if (!parseValue(dummyStyle.get(), CSSPropertyFontFamily, string, false, CSSQuirksMode, 0))
         return 0;
-    return static_pointer_cast<CSSValueList>(dummyStyle->getPropertyCSSValue(CSSPropertyFontFamily));
+
+    RefPtr<CSSValue> fontFamily = dummyStyle->getPropertyCSSValue(CSSPropertyFontFamily);
+    if (!fontFamily->isValueList())
+        return 0;
+
+    return toCSSValueList(dummyStyle->getPropertyCSSValue(CSSPropertyFontFamily).get());
 }
 
 bool CSSParser::parseValue(MutableStylePropertySet* declaration, CSSPropertyID propertyID, const String& string, bool important, const Document& document)