Changeset 77076 in webkit
- Timestamp:
- Jan 29, 2011 6:39:40 PM (13 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r77075 r77076 1 2011-01-29 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Daniel Bates. 4 5 Fix XSSFilter crash when extracting the source for a token twice 6 https://bugs.webkit.org/show_bug.cgi?id=53368 7 8 Previously, it was unsafe to extract the source for the same token 9 twice because the HTMLSourceTracker would advance its internal 10 representation of the SegmentedString. This patch introduces a cache 11 to make calling HTMLSourceTracker::sourceForToken multiple times safe. 12 13 * html/parser/HTMLSourceTracker.cpp: 14 (WebCore::HTMLSourceTracker::end): 15 (WebCore::HTMLSourceTracker::sourceForToken): 16 * html/parser/HTMLSourceTracker.h: 17 1 18 2011-01-29 Maciej Stachowiak <mjs@apple.com> 2 19 -
trunk/Source/WebCore/html/parser/HTMLSourceTracker.cpp
r76835 r77076 42 42 void HTMLSourceTracker::end(const HTMLInputStream& input, HTMLToken& token) 43 43 { 44 m_cachedSourceForToken = String(); 44 45 // FIXME: This work should really be done by the HTMLTokenizer. 45 46 token.end(input.current().numberOfCharactersConsumed()); … … 51 52 return String(); // Hides the null character we use to mark the end of file. 52 53 54 if (!m_cachedSourceForToken.isEmpty()) 55 return m_cachedSourceForToken; 56 53 57 ASSERT(!token.startIndex()); 54 58 UChar* data = 0; … … 59 63 m_source.advance(); 60 64 } 61 return m_sourceFromPreviousSegments + source; 65 m_cachedSourceForToken = m_sourceFromPreviousSegments + source; 66 return m_cachedSourceForToken; 62 67 } 63 68 -
trunk/Source/WebCore/html/parser/HTMLSourceTracker.h
r76835 r77076 48 48 String m_sourceFromPreviousSegments; 49 49 SegmentedString m_source; 50 String m_cachedSourceForToken; 50 51 }; 51 52
Note: See TracChangeset
for help on using the changeset viewer.