Fix crash in parse_border()

The bug was introduced in commit:
	9b7640b8 by Benjamin Otte, 2012-03-26 17:24:02
	styleproperty: Make _gtk_style_property_parse_value() return a CssValue

In that commit, `values` changed from `GValue*` to `GtkCssValue**`,
but one `!G_IS_VALUE (&values[8])` was left untouched. As a result,
if `border` shorthand contains anything after color, it might crash,
depending on memory layout.

New test included.

Fixes: #751

diff --git a/gtk/gtkcssshorthandpropertyimpl.c b/gtk/gtkcssshorthandpropertyimpl.c
index 0ada0f6a3e7b385d71b07bd0a069b18e8ff5efc0..290c6afdd04de72449eedabd65e9b2c70fcef06a 100644 (file)
--- a/gtk/gtkcssshorthandpropertyimpl.c
+++ b/gtk/gtkcssshorthandpropertyimpl.c
@@ -387,7 +387,7 @@ parse_border (GtkCssShorthandProperty  *shorthand,
         values[6] = _gtk_css_value_ref (values[4]);
         values[7] = _gtk_css_value_ref (values[4]);
       }
-    else if (!G_IS_VALUE (&values[8]))
+    else if (values[8] == NULL)
       {
         values[8] = _gtk_css_color_value_parse (parser);
         if (values[8] == NULL)

diff --git a/testsuite/css/parser/border-crash-3.24.css b/testsuite/css/parser/border-crash-3.24.css
new file mode 100644 (file)
index 0000000..971048e
--- /dev/null
+++ b/testsuite/css/parser/border-crash-3.24.css
@@ -0,0 +1,4 @@
+* {
+  border: 2px solid alpha(black, 0.3)
+  padding: 2px;
+}

diff --git a/testsuite/css/parser/border-crash-3.24.errors b/testsuite/css/parser/border-crash-3.24.errors
new file mode 100644 (file)
index 0000000..c49f1d0
--- /dev/null
+++ b/testsuite/css/parser/border-crash-3.24.errors
@@ -0,0 +1 @@
+border-crash-3.24.css:3: error: GTK_CSS_PROVIDER_ERROR_SYNTAX

diff --git a/testsuite/css/parser/border-crash-3.24.ref.css b/testsuite/css/parser/border-crash-3.24.ref.css
new file mode 100644 (file)
index 0000000..e69de29

diff --git a/testsuite/css/parser/meson.build b/testsuite/css/parser/meson.build
index 573f0a70876bf3367f421c4b1b942d4a8e2c2256..1e171aaa3630c36edc5bb9daf8c4093776bb14bd 100644 (file)
--- a/testsuite/css/parser/meson.build
+++ b/testsuite/css/parser/meson.build
@@ -156,12 +156,15 @@ test_data = [
   'backslash-eof-is-identifier.css',
   'backslash-eof-is-identifier.errors',
   'backslash-eof-is-identifier.ref.css',
+  'border.css',
+  'border.errors',
   'border-color.css',
   'border-color-currentcolor.css',
   'border-color-currentcolor.ref.css',
   'border-color.ref.css',
-  'border.css',
-  'border.errors',
+  'border-crash-3.24.css',
+  'border-crash-3.24.errors',
+  'border-crash-3.24.ref.css',
   'border-image-repeat.css',
   'border-image-repeat.ref.css',
   'border-image-slice.css',