Fix crash when using disallowed URLs in image sets for content CSS property

third_party/WebKit/Source/core/css/CSSImageSetValue.cpp

 /*
  * Copyright (C) 2012 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 16 matching lines @@
 
 #include "core/css/CSSImageValue.h"
 #include "core/css/CSSPrimitiveValue.h"
 #include "core/dom/Document.h"
 #include "core/fetch/FetchInitiatorTypeNames.h"
 #include "core/fetch/FetchRequest.h"
 #include "core/fetch/ImageResource.h"
 #include "core/fetch/ResourceFetcher.h"
 #include "core/fetch/ResourceLoaderOptions.h"
 #include "core/style/StyleFetchedImageSet.h"
+#include "core/style/StyleInvalidImage.h"
 #include "platform/weborigin/KURL.h"
 #include "platform/weborigin/SecurityPolicy.h"
 #include "wtf/text/StringBuilder.h"
 #include <algorithm>
 
 namespace blink {
 
 CSSImageSetValue::CSSImageSetValue()
     : CSSValueList(ImageSetClass, CommaSeparator)
-    , m_isCachePending(true)
     , m_cachedScaleFactor(1)
 {
 }
 
 CSSImageSetValue::~CSSImageSetValue()
 {
 #if !ENABLE(OILPAN)
-    if (m_cachedImageSet)
-        m_cachedImageSet->clearImageSetValue();
+    if (m_cachedImage && m_cachedImage->isImageResourceSet())
+        toStyleFetchedImageSet(*m_cachedImage).clearImageSetValue();
 #endif
 }
 
 void CSSImageSetValue::fillImageSet()
 {
     size_t length = this->length();
     size_t i = 0;
     while (i < length) {
         CSSImageValue* imageValue = toCSSImageValue(item(i));
         String imageURL = imageValue->url();
@@ skipping 22 matching lines @@
     for (size_t i = 0; i < numberOfImages; ++i) {
         image = m_imagesInSet.at(i);
         if (image.scaleFactor >= scaleFactor)
             return image;
     }
     return image;
 }
 
 bool CSSImageSetValue::isCachePending(float deviceScaleFactor) const
 {
-    return m_isCachePending || deviceScaleFactor != m_cachedScaleFactor;
+    return !m_cachedImage || deviceScaleFactor != m_cachedScaleFactor;
 }
 
-StyleFetchedImageSet* CSSImageSetValue::cachedImageSet(float deviceScaleFactor) const
+StyleImage* CSSImageSetValue::cachedImage(float deviceScaleFactor) const
 {
     ASSERT(!isCachePending(deviceScaleFactor));
-    return m_cachedImageSet.get();
+    return m_cachedImage.get();
 }
 
-StyleFetchedImageSet* CSSImageSetValue::cacheImageSet(Document* document, float deviceScaleFactor, CrossOriginAttributeValue crossOrigin)
+StyleImage* CSSImageSetValue::cacheImage(Document* document, float deviceScaleFactor, CrossOriginAttributeValue crossOrigin)
 {
     ASSERT(document);
 
     if (!m_imagesInSet.size())
         fillImageSet();
 
-    if (m_isCachePending || deviceScaleFactor != m_cachedScaleFactor) {
+    if (isCachePending(deviceScaleFactor)) {
         // FIXME: In the future, we want to take much more than deviceScaleFactor into acount here.
         // All forms of scale should be included: Page::pageScaleFactor(), LocalFrame::pageZoomFactor(),
         // and any CSS transforms. https://bugs.webkit.org/show_bug.cgi?id=81698
         ImageWithScale image = bestImageForScaleFactor(deviceScaleFactor);
         FetchRequest request(ResourceRequest(document->completeURL(image.imageURL)), FetchInitiatorTypeNames::css);
         request.mutableResourceRequest().setHTTPReferrer(image.referrer);
 
         if (crossOrigin != CrossOriginAttributeNotSet)
             request.setCrossOriginAccessControl(document->securityOrigin(), crossOrigin);
 
-        if (ResourcePtr<ImageResource> cachedImage = ImageResource::fetch(request, document->fetcher())) {
-            m_cachedImageSet = StyleFetchedImageSet::create(cachedImage.get(), image.scaleFactor, this, request.url());
-            m_cachedScaleFactor = deviceScaleFactor;
-            m_isCachePending = false;
-        }
+        if (ResourcePtr<ImageResource> cachedImage = ImageResource::fetch(request, document->fetcher()))
+            m_cachedImage = StyleFetchedImageSet::create(cachedImage.get(), image.scaleFactor, this, request.url());
+        else
+            m_cachedImage = StyleInvalidImage::create(image.imageURL);
+        m_cachedScaleFactor = deviceScaleFactor;
     }
 
-    return m_cachedImageSet.get();
+    return m_cachedImage.get();
 }
 
 String CSSImageSetValue::customCSSText() const
 {
     StringBuilder result;
     result.append("-webkit-image-set(");
 
     size_t length = this->length();
     size_t i = 0;
     while (i < length) {
@@ skipping 14 matching lines @@
 
         ++i;
     }
 
     result.append(')');
     return result.toString();
 }
 
 bool CSSImageSetValue::hasFailedOrCanceledSubresources() const
 {
-    if (!m_cachedImageSet)
+    if (!m_cachedImage)
         return false;
-    if (Resource* cachedResource = m_cachedImageSet->cachedImage())
+    if (Resource* cachedResource = m_cachedImage->cachedImage())
         return cachedResource->loadFailedOrCanceled();
     return true;
 }
 
 DEFINE_TRACE_AFTER_DISPATCH(CSSImageSetValue)
 {
-    visitor->trace(m_cachedImageSet);
+    visitor->trace(m_cachedImage);
     CSSValueList::traceAfterDispatch(visitor);
 }
 
 PassRefPtrWillBeRawPtr<CSSImageSetValue> CSSImageSetValue::valueWithURLsMadeAbsolute()
 {
     RefPtrWillBeRawPtr<CSSImageSetValue> value = CSSImageSetValue::create();
     for (auto& item : *this)
         item->isImageValue() ? value->append(toCSSImageValue(*item).valueWithURLMadeAbsolute()) : value->append(item);
     return value.release();
 }
 
 
 } // namespace blink