Changeset 44865 in webkit for trunk

Timestamp:

Jun 19, 2009 12:54:57 PM (15 years ago)

Author:

bfulgham@webkit.org

Message:

2009-06-19 Chris Evans <​scarybeasts@gmail.com>

Reviewed by Eric Seidel.

There is no new test because this cannot be tested deterministically.
I've not been able to cause a crash at all in the test framework, but
I have verified that this is happening in the wild and that the patch
fixes the likely cause in the debugger.

• loader/TextResourceDecoder.cpp: careful not to iterate off the end of our input buffer looking for the end of the comment.

Location:

trunk/WebCore

Files:

• ChangeLog (modified) (1 diff)
• loader/TextResourceDecoder.cpp (modified) (2 diffs)

trunk/WebCore/ChangeLog

@@ +1 @@
+2009-06-19  Chris Evans  <scarybeasts@gmail.com>
+
+        Reviewed by Eric Seidel.
+
+        There is no new test because this cannot be tested deterministically.
+        I've not been able to cause a crash at all in the test framework, but
+        I have verified that this is happening in the wild and that the patch
+        fixes the likely cause in the debugger.
+
+        * loader/TextResourceDecoder.cpp: careful not to iterate off the end
+          of our input buffer looking for the end of the comment.
+
 2009-06-19  Adam Barth  <abarth@webkit.org>
 

trunk/WebCore/loader/TextResourceDecoder.cpp

@@ -510 +510 @@
 {
     const char* p = ptr;
+    if (p == pEnd)
+      return;
     // Allow <!-->; other browsers do.
     if (*p == '>') {
         p++;
     } else {
-        while (p != pEnd) {
+        while (p + 2 < pEnd) {
             if (*p == '-') {
                 // This is the real end of comment, "-->".
@@ -522 +524 @@
                 }
                 // This is the incorrect end of comment that other browsers allow, "--!>".
-                if (p[1] == '-' && p[2] == '!' && p[3] == '>') {
+                if (p + 3 < pEnd && p[1] == '-' && p[2] == '!' && p[3] == '>') {
                     p += 4;
                     break;