Fix crash when setting invalid @font-face descriptors via CSSOM.

When @font-face rules are parsed normally (as part of a stylesheet), the descriptors are parsed with CSSParserToken::ParseAsAtRuleDescriptorID, which is allowed to return kInvalid. However, when using CSSOM, the parsing takes a different path that first creates a CSSPropertyID, then converts it to a AtRuleDescriptorID using CSSPropertyIDAsAtRuleDescriptor, which *isn't* allowed to return kInvalid. Fix by allowing kInvalid, and gracefully handling this in CSSPropertyParser::ParseFontFaceDescriptor. Note that this is the only callsite for CSSPropertyIDAsAtRuleDescriptor. BUG=977953 Change-Id: I42081dd4bae3c828843be3ca994ff4f48d06a7f4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1676629Reviewed-by: Rune Lillesveen <futhark@chromium.org> Commit-Queue: Anders Hartvoll Ruud <andruud@chromium.org> Cr-Commit-Position: refs/heads/master@{#673262}

Fix crash when setting invalid @font-face descriptors via CSSOM.
When @font-face rules are parsed normally (as part of a stylesheet), the descriptors are parsed with CSSParserToken::ParseAsAtRuleDescriptorID, which is allowed to return kInvalid. However, when using CSSOM, the parsing takes a different path that first creates a CSSPropertyID, then converts it to a AtRuleDescriptorID using CSSPropertyIDAsAtRuleDescriptor, which *isn't* allowed to return kInvalid. Fix by allowing kInvalid, and gracefully handling this in CSSPropertyParser::ParseFontFaceDescriptor. Note that this is the only callsite for CSSPropertyIDAsAtRuleDescriptor. BUG=977953 Change-Id: I42081dd4bae3c828843be3ca994ff4f48d06a7f4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1676629Reviewed-by: Rune Lillesveen <futhark@chromium.org> Commit-Queue: Anders Hartvoll Ruud <andruud@chromium.org> Cr-Commit-Position: refs/heads/master@{#673262}
8c58ec15 · Anders Hartvoll Ruud · Commit Bot · 646035e4 · 8c58ec15 · 8c58ec15
Commit 8c58ec15 authored Jun 28, 2019 by Anders Hartvoll Ruud Committed by Commit Bot Jun 28, 2019
3 changed files
--- a/third_party/blink/renderer/build/scripts/core/css/parser/templates/at_rule_descriptors.cc.tmpl
+++ b/third_party/blink/renderer/build/scripts/core/css/parser/templates/at_rule_descriptors.cc.tmpl
@@ -100,7 +100,6 @@ AtRuleDescriptorID CSSPropertyIDAsAtRuleDescriptor(CSSPropertyID id) {
    return AtRuleDescriptorID::{{descriptor.name.to_upper_camel_case()}};
 {% endfor %}
  default:
-    NOTREACHED();
    return AtRuleDescriptorID::Invalid;
  }
 }

--- a/third_party/blink/renderer/core/css/parser/css_property_parser.cc
+++ b/third_party/blink/renderer/core/css/parser/css_property_parser.cc
@@ -388,7 +388,8 @@ bool CSSPropertyParser::ParseFontFaceDescriptor(
  // TODO(meade): This function should eventually take an AtRuleDescriptorID.
  const AtRuleDescriptorID id =
      CSSPropertyIDAsAtRuleDescriptor(resolved_property);
-  DCHECK_NE(id, AtRuleDescriptorID::Invalid);
+  if (id == AtRuleDescriptorID::Invalid)
+    return false;
  CSSValue* parsed_value =
      AtRuleDescriptorParser::ParseFontFaceDescriptor(id, range_, *context_);
  if (!parsed_value)

--- a/third_party/blink/web_tests/external/wpt/css/css-fonts/crash-font-face-invalid-descriptor.html
+++ b/third_party/blink/web_tests/external/wpt/css/css-fonts/crash-font-face-invalid-descriptor.html
+<!DOCTYPE html>
+<link rel="help" href="https://crbug.com/977953" />
+<script type="text/javascript" src="/resources/testharness.js"></script>
+<script type="text/javascript" src="/resources/testharnessreport.js"></script>
+<style>
+    @font-face {}
+</style>
+<script>
+    test(() => {
+        let rule = document.styleSheets[0].cssRules[0];
+        rule.style.backgroundPosition = 'bottom 10px right 20px';
+    }, 'Do not crash when setting an invalid @font-face descriptor via CSSOM');
+</script>