[gtk/gtk-3-24] Fix crash in parse_border()

[Benjamin Otte <otte src gnome org>]

commit 1efb72210d6fb39d9de97d4d7a76251cd22cd54d
Author: Alexandr Miloslavskiy <alexandr miloslavskiy syntevo com>
Date:   Thu Nov 21 20:26:22 2019 +0100

    Fix crash in parse_border()
    
    The bug was introduced in commit:
            9b7640b8 by Benjamin Otte, 2012-03-26 17:24:02
            styleproperty: Make _gtk_style_property_parse_value() return a CssValue
    
    In that commit, `values` changed from `GValue*` to `GtkCssValue**`,
    but one `!G_IS_VALUE (&values[8])` was left untouched. As a result,
    if `border` shorthand contains anything after color, it might crash,
    depending on memory layout.
    
    New test included.
    
    Fixes: #751

 gtk/gtkcssshorthandpropertyimpl.c              | 2 +-
 testsuite/css/parser/Makefile.am               | 3 +++
 testsuite/css/parser/border-crash-3.24.css     | 4 ++++
 testsuite/css/parser/border-crash-3.24.errors  | 1 +
 testsuite/css/parser/border-crash-3.24.ref.css | 0
 testsuite/css/parser/meson.build               | 3 +++
 6 files changed, 12 insertions(+), 1 deletion(-)
---
diff --git a/gtk/gtkcssshorthandpropertyimpl.c b/gtk/gtkcssshorthandpropertyimpl.c
index 53465a988c..fdef01ca66 100644
--- a/gtk/gtkcssshorthandpropertyimpl.c
+++ b/gtk/gtkcssshorthandpropertyimpl.c
@@ -396,7 +396,7 @@ parse_border (GtkCssShorthandProperty  *shorthand,
         values[6] = _gtk_css_value_ref (values[4]);
         values[7] = _gtk_css_value_ref (values[4]);
       }
-    else if (!G_IS_VALUE (&values[8]))
+    else if (values[8] == NULL)
       {
         values[8] = _gtk_css_color_value_parse (parser);
         if (values[8] == NULL)
diff --git a/testsuite/css/parser/Makefile.am b/testsuite/css/parser/Makefile.am
index 03aa9b638a..fcef37a44c 100644
--- a/testsuite/css/parser/Makefile.am
+++ b/testsuite/css/parser/Makefile.am
@@ -206,6 +206,9 @@ test_data = \
         border-color.ref.css \
        border-color-currentcolor.css \
        border-color-currentcolor.ref.css \
+       border-crash-3.24.css \
+       border-crash-3.24.errors \
+       border-crash-3.24.ref.css \
         border-image-source.css \
         border-image-source.ref.css \
         border-image-repeat.css \
diff --git a/testsuite/css/parser/border-crash-3.24.css b/testsuite/css/parser/border-crash-3.24.css
new file mode 100644
index 0000000000..971048e2a8
--- /dev/null
+++ b/testsuite/css/parser/border-crash-3.24.css
@@ -0,0 +1,4 @@
+* {
+  border: 2px solid alpha(black, 0.3)
+  padding: 2px;
+}
diff --git a/testsuite/css/parser/border-crash-3.24.errors b/testsuite/css/parser/border-crash-3.24.errors
new file mode 100644
index 0000000000..c49f1d071a
--- /dev/null
+++ b/testsuite/css/parser/border-crash-3.24.errors
@@ -0,0 +1 @@
+border-crash-3.24.css:3: error: GTK_CSS_PROVIDER_ERROR_SYNTAX
diff --git a/testsuite/css/parser/border-crash-3.24.ref.css b/testsuite/css/parser/border-crash-3.24.ref.css
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testsuite/css/parser/meson.build b/testsuite/css/parser/meson.build
index 7e60bb8b41..d3bbdae17b 100644
--- a/testsuite/css/parser/meson.build
+++ b/testsuite/css/parser/meson.build
@@ -181,6 +181,9 @@ test_data = [
   'border-color-currentcolor.ref.css',
   'border-color.css',
   'border-color.ref.css',
+  'border-crash-3.24.css',
+  'border-crash-3.24.errors',
+  'border-crash-3.24.ref.css',
   'border-image-repeat.css',
   'border-image-repeat.ref.css',
   'border-image-slice.css',