New issue
Advanced search Search tips

Issue 920303 link

Starred by 2 users
Status: Fixed
Owner:
futhark@chromium.org
Closed: Jan 11
Cc:
style-bugs@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Null pointer access when setting selectorText without parentStyleSheet

Reported by jun.koka...@microsoft.com, Jan 9 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3658.0 Safari/537.36 Edg/73.0.58.0

Steps to reproduce the problem:
1. Open attached file (PoC.html).

What is the expected behavior?
No crash.

What went wrong?
https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/css/css_page_rule.cc?type=cs&sq=package:chromium&g=0&l=63

CSSSelectorList selector_list = CSSParser::ParsePageSelector(
      *context, parentStyleSheet() ? parentStyleSheet()->Contents() : nullptr, // <--- Null pointer is passed here
      selector_text);

null pointer is passed to CSSParser::ParsePageSelector when parentStyleSheet is not available. But this null pointer is later accessed to set selectorText.

Attaching patch (patch.diff) which resolve this bug. Patch will ignore setting selectorText when parentStyleSheet is not available.

Crashed report ID: 

How much crashed? Just one tab

Is it a problem with a plugin? No 

Did this work before? N/A 

Chrome version: 71  Channel: stable
OS Version: 10.0
Flash Version:
PoC.html
188 bytes View Download
patch.diff
977 bytes Download

Comment 1 by dtapu...@chromium.org, Jan 9

Components: Blink>CSS

Comment 2 by jmukthavaram@chromium.org, Jan 10

Labels: Target-71 Target-72 Target-73 M-73 FoundIn-71 FoundIn-73 FoundIn-72 OS-Linux OS-Mac
Status: Untriaged (was: Unconfirmed)
Able to reproduce the issue on Windows, mac 10.14.2 & debian rodate using chrome stable-71.0.3578.98 & Canary-73.0.3666.0 as per html file provided in C#0. Page is getting crashed when we open html file i chrome. Same issue seen from m60 to latest canary. As it is non regression issue, marking it as Untraiged to get it addressed from dev team.

Please find the attached screencast for reference
Thanks!
920303-Non reg from M60.mp4
421 KB View Download

Comment 3 by e...@chromium.org, Jan 10

Owner: futhark@chromium.org
Status: Assigned (was: Untriaged)

Comment 4 by futhark@chromium.org, Jan 11

Status: Started (was: Assigned)
Project Member

Comment 5 by bugdroid1@chromium.org, Jan 11 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b183cbd350867b16c7909a74656716742f4ffb32

commit b183cbd350867b16c7909a74656716742f4ffb32
Author: Rune Lillesveen <futhark@chromium.org>
Date: Fri Jan 11 17:16:07 2019

Named pages in @page selectors do not have a namespace.

Fixes crash when trying to set selectorText of detached @page rules. We
only match local name part of the tag, so there should be no behavioral
change here.

Bug:  920303 
Change-Id: I4b09b4e108506fd21d87844dec32209f5984de49
Reviewed-on: https://chromium-review.googlesource.com/c/1406716
Commit-Queue: Morten Stenshorne <mstensho@chromium.org>
Reviewed-by: Morten Stenshorne <mstensho@chromium.org>
Cr-Commit-Position: refs/heads/master@{#622042}
[modify] https://crrev.com/b183cbd350867b16c7909a74656716742f4ffb32/third_party/blink/renderer/core/css/parser/css_parser_impl.cc
[add] https://crrev.com/b183cbd350867b16c7909a74656716742f4ffb32/third_party/blink/web_tests/external/wpt/css/cssom/cssom-pagerule.html

Comment 6 by e...@chromium.org, Jan 11

Status: Fixed (was: Started)

Sign in to add a comment