From 909c6856ca5b2eff12ab8a317f8c9e4c1a895203 Mon Sep 17 00:00:00 2001 From: Michael Orlitzky Date: Sat, 12 Aug 2023 20:03:01 -0400 Subject: [PATCH 1/1] src/stylesheet.h: set uses_revert flag for shorthand properties Take for example the list-style and list-style-type properties; the former is a shorthand property that subsumes the latter. When the list-style-type property is parsed, the "flags" variable has its FLAG_REVERT bit set, and we call, css__stylesheet_style_appendOPV(result, CSS_PROP_LIST_STYLE_TYPE, flags, value); which then sets the "uses_revert" bit on the stylesheet: if ((flags & (0x7 << 1)) == FLAG_REVERT) { style->sheet->uses_revert = true; } In contrast, when list-style is parsed and a flag is found, we run error = css_stylesheet_style_flag_value(result, flag_value, CSS_PROP_LIST_STYLE_TYPE); which immediately delegates to css__stylesheet_style_append() and buildOPV() without checking if "uses_revert" needs to be set. This can lead to segfault when we try to revert to a state that we have not saved (Mantis bug 2854). Adding a FLAG_REVERT check to css_stylesheet_style_flag_value() fixes the issue for the shorthand properties listed in docs/Bytecode, most (but not all) of which experienced the crash. Closes: https://bugs.netsurf-browser.org/mantis/view.php?id=2854 --- src/stylesheet.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/stylesheet.h b/src/stylesheet.h index 070508f..673bc95 100644 --- a/src/stylesheet.h +++ b/src/stylesheet.h @@ -272,8 +272,12 @@ static inline css_error css_stylesheet_style_unset(css_style *style, static inline css_error css_stylesheet_style_flag_value(css_style *style, enum flag_value flag_value, opcode_t opcode) { + enum flag flag = flag_value << 1; + if (flag == FLAG_REVERT) { + style->sheet->uses_revert = true; + } return css__stylesheet_style_append(style, - buildOPV(opcode, flag_value << 1, 0)); + buildOPV(opcode, flag, 0)); } css_error css__stylesheet_selector_create(css_stylesheet *sheet, -- 2.41.0