Changeset 77076 in webkit


Ignore:
Timestamp:
Jan 29, 2011 6:39:40 PM (13 years ago)
Author:
abarth@webkit.org
Message:

2011-01-29 Adam Barth <abarth@webkit.org>

Reviewed by Daniel Bates.

Fix XSSFilter crash when extracting the source for a token twice
https://bugs.webkit.org/show_bug.cgi?id=53368

Previously, it was unsafe to extract the source for the same token
twice because the HTMLSourceTracker would advance its internal
representation of the SegmentedString. This patch introduces a cache
to make calling HTMLSourceTracker::sourceForToken multiple times safe.

  • html/parser/HTMLSourceTracker.cpp: (WebCore::HTMLSourceTracker::end): (WebCore::HTMLSourceTracker::sourceForToken):
  • html/parser/HTMLSourceTracker.h:
Location:
trunk/Source/WebCore
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebCore/ChangeLog

    r77075 r77076  
     12011-01-29  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Daniel Bates.
     4
     5        Fix XSSFilter crash when extracting the source for a token twice
     6        https://bugs.webkit.org/show_bug.cgi?id=53368
     7
     8        Previously, it was unsafe to extract the source for the same token
     9        twice because the HTMLSourceTracker would advance its internal
     10        representation of the SegmentedString.  This patch introduces a cache
     11        to make calling HTMLSourceTracker::sourceForToken multiple times safe.
     12
     13        * html/parser/HTMLSourceTracker.cpp:
     14        (WebCore::HTMLSourceTracker::end):
     15        (WebCore::HTMLSourceTracker::sourceForToken):
     16        * html/parser/HTMLSourceTracker.h:
     17
    1182011-01-29  Maciej Stachowiak  <mjs@apple.com>
    219
  • trunk/Source/WebCore/html/parser/HTMLSourceTracker.cpp

    r76835 r77076  
    4242void HTMLSourceTracker::end(const HTMLInputStream& input, HTMLToken& token)
    4343{
     44    m_cachedSourceForToken = String();
    4445    // FIXME: This work should really be done by the HTMLTokenizer.
    4546    token.end(input.current().numberOfCharactersConsumed());
     
    5152        return String(); // Hides the null character we use to mark the end of file.
    5253
     54    if (!m_cachedSourceForToken.isEmpty())
     55        return m_cachedSourceForToken;
     56
    5357    ASSERT(!token.startIndex());
    5458    UChar* data = 0;
     
    5963        m_source.advance();
    6064    }
    61     return m_sourceFromPreviousSegments + source;
     65    m_cachedSourceForToken = m_sourceFromPreviousSegments + source;
     66    return m_cachedSourceForToken;
    6267}
    6368
  • trunk/Source/WebCore/html/parser/HTMLSourceTracker.h

    r76835 r77076  
    4848    String m_sourceFromPreviousSegments;
    4949    SegmentedString m_source;
     50    String m_cachedSourceForToken;
    5051};
    5152
Note: See TracChangeset for help on using the changeset viewer.