Potential Crash fix by not propagating empty value for face attribute

Potential Crash fix by not propagating empty value for face attribute https://bugs.webkit.org/show_bug.cgi?id=248434 Reviewed by Tim Nguyen. Merge - https://src.chromium.org/viewvc/blink?view=revision&revision=190788 This patch is to add check to ensure that "faceAttr" is not null / empty value and such values are not propagated to lead to stability issues (i.e., crashes). * Source/WebCore/html/HTMLFontElement.cpp: (HTMLFontElement::collectPresentationalHintsForAttribute): Add check for empty / null values * LayoutTests/fast/css/font-face-attribute-remove.html: Add Test Case * LayoutTests/fast/css/font-face-attribute-remove-expected.html: Add Test Case Expectation Canonical link: https://commits.webkit.org/257248@main
WebKit · Dec 1, 2022 · 7f50b6d · 7f50b6d
1 parent 2c9c139
commit 7f50b6d
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 2 deletions.
diff --git a/LayoutTests/fast/css/font-face-attribute-remove-expected.html b/LayoutTests/fast/css/font-face-attribute-remove-expected.html
@@ -0,0 +1 @@
+<p>PASS if it does not crash.</p>
diff --git a/LayoutTests/fast/css/font-face-attribute-remove.html b/LayoutTests/fast/css/font-face-attribute-remove.html
@@ -0,0 +1,6 @@
+<p>PASS if it does not crash.</p>
+<font id="f" face="helvetica"></font>
+<script>
+// attributes[1] is face
+f.attributes[1].textContent = null;
+</script>
diff --git a/Source/WebCore/html/HTMLFontElement.cpp b/Source/WebCore/html/HTMLFontElement.cpp
@@ -2,7 +2,7 @@
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2000 Simon Hausmann <hausmann@kde.org>
- * Copyright (C) 2003, 2006, 2008, 2010 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2022 Apple Inc. All rights reserved.
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Library General Public
@@ -190,7 +190,7 @@ void HTMLFontElement::collectPresentationalHintsForAttribute(const QualifiedName
             addPropertyToPresentationalHintStyle(style, CSSPropertyFontSize, size);
     } else if (name == colorAttr)
         addHTMLColorToStyle(style, CSSPropertyColor, value);
-    else if (name == faceAttr) {
+    else if (name == faceAttr && !value.isEmpty()) {
         if (auto fontFaceValue = CSSValuePool::singleton().createFontFaceValue(value))
             style.setProperty(CSSProperty(CSSPropertyFontFamily, WTFMove(fontFaceValue)));
     } else