Changeset 38115 in webkit

Timestamp:

Nov 4, 2008 4:24:44 PM (15 years ago)

Author:

pam@chromium.org

Message:

2008-11-04 Jonathan Haas <​myrdred@gmail.com>

Addiitonal tweaks and patch prep by Pamela Greene <​pam@chromium.org>

Reviewed by Darin Adler.

Fixed an issue which could cause memory corruption using ToT libxml.
See ​https://bugs.webkit.org/show_bug.cgi?id=15715

Test: fast/xsl/xslt-nested-stylesheets.xml

• xml/XSLImportRule.cpp: (WebCore::XSLImportRule::setXSLStyleSheet): Set parent rather than owner document
• xml/XSLStyleSheet.cpp: (WebCore::XSLStyleSheet::XSLStyleSheet): Initialize m_parentStyleSheet (WebCore::XSLStyleSheet::parseString): Make all child stylesheets use parent's dictionary (WebCore::XSLStyleSheet::setParentStyleSheet): Added
• xml/XSLStyleSheet.h: Added m_parentStyleSheet member

2008-11-04 Pamela Greene <​pam@chromium.org>

Reviewed by Darin Adler.

Added test for crash resulting from nested stylesheets using certain
builds of libxml2. See ​https://bugs.webkit.org/show_bug.cgi?id=15715 .

• fast/xsl/resources/xslt-nested-stylesheets0.xsl: Added.
• fast/xsl/resources/xslt-nested-stylesheets1.xsl: Added.
• fast/xsl/xslt-nested-stylesheets-expected.txt: Added.
• fast/xsl/xslt-nested-stylesheets.xml: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/xsl/resources/xslt-nested-stylesheets0.xsl (added)
• LayoutTests/fast/xsl/resources/xslt-nested-stylesheets1.xsl (added)
• LayoutTests/fast/xsl/xslt-nested-stylesheets-expected.txt (added)
• LayoutTests/fast/xsl/xslt-nested-stylesheets.xml (added)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/xml/XSLImportRule.cpp (modified) (1 diff)
• WebCore/xml/XSLStyleSheet.cpp (modified) (4 diffs)
• WebCore/xml/XSLStyleSheet.h (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2008-11-04  Pamela Greene  <pam@chromium.org>
+
+        Reviewed by Darin Adler.
+
+        Added test for crash resulting from nested stylesheets using certain
+        builds of libxml2.  See https://bugs.webkit.org/show_bug.cgi?id=15715 .
+
+        * fast/xsl/resources/xslt-nested-stylesheets0.xsl: Added.
+        * fast/xsl/resources/xslt-nested-stylesheets1.xsl: Added.
+        * fast/xsl/xslt-nested-stylesheets-expected.txt: Added.
+        * fast/xsl/xslt-nested-stylesheets.xml: Added.
+
 2008-11-04  Pierre-Olivier Latour  <pol@apple.com>
 

trunk/WebCore/ChangeLog

@@ +1 @@
+2008-11-04  Jonathan Haas  <myrdred@gmail.com>
+
+        Addiitonal tweaks and patch prep by Pamela Greene <pam@chromium.org>
+
+        Reviewed by Darin Adler.
+
+        Fixed an issue which could cause memory corruption using ToT libxml.
+        See https://bugs.webkit.org/show_bug.cgi?id=15715
+
+        Test: fast/xsl/xslt-nested-stylesheets.xml
+
+        * xml/XSLImportRule.cpp:
+        (WebCore::XSLImportRule::setXSLStyleSheet): Set parent rather than owner document
+        * xml/XSLStyleSheet.cpp:
+        (WebCore::XSLStyleSheet::XSLStyleSheet): Initialize m_parentStyleSheet
+        (WebCore::XSLStyleSheet::parseString): Make all child stylesheets use parent's dictionary
+        (WebCore::XSLStyleSheet::setParentStyleSheet): Added
+        * xml/XSLStyleSheet.h: Added m_parentStyleSheet member
+
 2008-11-04  Simon Fraser  <simon.fraser@apple.com>
 

trunk/WebCore/xml/XSLImportRule.cpp

@@ -62 +62 @@
     XSLStyleSheet* parent = parentStyleSheet();
     if (parent)
-        m_styleSheet->setOwnerDocument(parent->ownerDocument());
+        m_styleSheet->setParentStyleSheet(parent);
 
     m_styleSheet->parseString(sheet);

trunk/WebCore/xml/XSLStyleSheet.cpp

@@ -61 +61 @@
     , m_processed(false) // Child sheets get marked as processed when the libxslt engine has finally seen them.
     , m_stylesheetDocTaken(false)
+    , m_parentStyleSheet(0)
 {
 }
@@ -71 +72 @@
     , m_processed(true) // The root sheet starts off processed.
     , m_stylesheetDocTaken(false)
+    , m_parentStyleSheet(0)
 {
 }
@@ -148 +150 @@
     xmlSetGenericErrorFunc(console, XSLTProcessor::genericErrorFunc);
 
-    m_stylesheetDoc = xmlReadMemory(reinterpret_cast<const char*>(string.characters()), string.length() * sizeof(UChar),
+    const char* buffer = reinterpret_cast<const char*>(string.characters());
+    int size = string.length() * sizeof(UChar);
+
+    xmlParserCtxtPtr ctxt = xmlCreateMemoryParserCtxt(buffer, size);
+
+    if (m_parentStyleSheet) {
+        // The XSL transform may leave the newly-transformed document
+        // with references to the symbol dictionaries of the style sheet
+        // and any of its children. XML document disposal can corrupt memory
+        // if a document uses more than one symbol dictionary, so we
+        // ensure that all child stylesheets use the same dictionaries as their
+        // parents.
+        xmlDictFree(ctxt->dict);
+        ctxt->dict = m_parentStyleSheet->m_stylesheetDoc->dict;
+        xmlDictReference(ctxt->dict);
+    }
+
+    m_stylesheetDoc = xmlCtxtReadMemory(ctxt, buffer, size,
         href().utf8().data(),
         BOMHighByte == 0xFF ? "UTF-16LE" : "UTF-16BE", 
@@ -234 +253 @@
         m_stylesheetDocTaken = true;
     return result;
+}
+
+void XSLStyleSheet::setParentStyleSheet(XSLStyleSheet* parent)
+{
+    m_parentStyleSheet = parent;
+    if (parent)
+        m_ownerDocument = parent->ownerDocument();
 }
 

trunk/WebCore/xml/XSLStyleSheet.h

@@ -71 +71 @@
 
     Document* ownerDocument() { return m_ownerDocument; }
-    void setOwnerDocument(Document* doc) { m_ownerDocument = doc; }
+    void setParentStyleSheet(XSLStyleSheet* parent);
 
     xmlDocPtr document();
@@ -91 +91 @@
     bool m_processed;
     bool m_stylesheetDocTaken;
+    XSLStyleSheet* m_parentStyleSheet;
 };