Added default length to createGridTrackBreadth() when length is undef…

…ined https://bugs.webkit.org/show_bug.cgi?id=269856 rdar://119619013 Reviewed by Sammy Gill. `convertToLength` returned length undefined to `createGridTrackBreadth` which causes an issue when creating GridLength. Added check to see if length is undefined and if so returned a default length = 0 instead * Source/WebCore/style/StyleBuilderConverter.h: (WebCore::Style::BuilderConverter::createGridTrackBreadth): Originally-landed-as: 272448.626@safari-7618-branch (0b6e286). rdar://128091169 Canonical link: https://commits.webkit.org/278871@main
WebKit · May 16, 2024 · a5ef58e · a5ef58e
1 parent 332ec81
commit a5ef58e
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 1 deletion.
diff --git a/LayoutTests/fast/css-grid-layout/css-grid-template-rows-invalid-length-expected.txt b/LayoutTests/fast/css-grid-layout/css-grid-template-rows-invalid-length-expected.txt
@@ -0,0 +1,2 @@
+
+This test should not crash
diff --git a/LayoutTests/fast/css-grid-layout/css-grid-template-rows-invalid-length.html b/LayoutTests/fast/css-grid-layout/css-grid-template-rows-invalid-length.html
@@ -0,0 +1,22 @@
+<iframe width="0" srcdoc='
+<style>
+    * { grid-template-rows: 2vh 61px; -webkit-user-modify: read-write-plaintext-only; }
+</style>
+<script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+function jsfuzzer() {
+try { htmlvar00029.replaceWith("htmlvar00009"); var00145 = htmlvar00028.innerHTML; } catch(e) { }
+try { /* */ var00144 = document.execCommand("insertHTML", false, var00145); } catch(e) { }
+}
+function eventhandler3() {
+try { htmlvar00029.selectionDirection = String.fromCharCode(67, 93); } catch(e) { }
+}
+</script>
+<body onload=jsfuzzer()>
+<svg onload="eventhandler3()"></svg>
+</svg>
+<fieldset id="htmlvar00028">
+<textarea id="htmlvar00029" value=".(e;">b26</textarea>
+'></iframe>
+<div>This test should not crash</div>
diff --git a/Source/WebCore/style/StyleBuilderConverter.h b/Source/WebCore/style/StyleBuilderConverter.h
@@ -1137,7 +1137,10 @@ inline GridLength BuilderConverter::createGridTrackBreadth(const CSSPrimitiveVal
     if (primitiveValue.isFlex())
         return GridLength(primitiveValue.doubleValue());
 
-    return primitiveValue.convertToLength<FixedIntegerConversion | PercentConversion | CalculatedConversion | AutoConversion>(builderState.cssToLengthConversionData());
+    auto length = primitiveValue.convertToLength<FixedIntegerConversion | PercentConversion | CalculatedConversion | AutoConversion>(builderState.cssToLengthConversionData());
+    if (!length.isUndefined())
+        return length;
+    return Length(0.0, LengthType::Fixed);
 }
 
 inline GridTrackSize BuilderConverter::createGridTrackSize(const CSSValue& value, BuilderState& builderState)