Changeset 89118 in webkit
- Timestamp:
- Jun 16, 2011 10:54:14 PM (13 years ago)
- Location:
- trunk
- Files:
-
- 4 added
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r89117 r89118 1 2011-06-16 Jeffrey Pfau <jpfau@apple.com> 2 3 Reviewed by Alexey Proskuryakov. 4 5 Using null bytes when setting innerHTML in XTHML results in assertion and a crash due to null-pointer dereference 6 https://bugs.webkit.org/show_bug.cgi?id=61053 7 8 Added test cases covering two cases of using innerHTML with null bytes in XHTML. 9 10 * fast/parser/xhtml-innerhtml-null-byte-expected.txt: Added. 11 * fast/parser/xhtml-innerhtml-null-byte-first-expected.txt: Added. 12 * fast/parser/xhtml-innerhtml-null-byte-first.xhtml: Added. 13 * fast/parser/xhtml-innerhtml-null-byte.xhtml: Added. 14 1 15 2011-06-16 Yuta Kitamura <yutak@chromium.org> 2 16 -
trunk/Source/WebCore/ChangeLog
r89115 r89118 1 2011-06-16 Jeffrey Pfau <jpfau@apple.com> 2 3 Reviewed by Alexey Proskuryakov. 4 5 Using null bytes when setting innerHTML in XTHML results in assertion and a crash due to null-pointer dereference 6 https://bugs.webkit.org/show_bug.cgi?id=61053 7 8 XML parsing in-memory XML chunks now passes around a string object instead of a C string, ensuring null characters are properly handled. 9 10 Tests: fast/parser/xhtml-innerhtml-null-byte-first.xhtml 11 fast/parser/xhtml-innerhtml-null-byte.xhtml 12 13 * dom/XMLDocumentParser.h: 14 * dom/XMLDocumentParserLibxml2.cpp: 15 (WebCore::XMLParserContext::createMemoryParser): 16 (WebCore::XMLDocumentParser::initializeParserContext): 17 (WebCore::XMLDocumentParser::appendFragmentSource): 18 1 19 2011-06-16 Robin Dunn <robin@alldunn.com> 2 20 -
trunk/Source/WebCore/dom/XMLDocumentParser.h
r86921 r89118 33 33 #include <wtf/HashMap.h> 34 34 #include <wtf/OwnPtr.h> 35 #include <wtf/text/CString.h> 35 36 #include <wtf/text/StringHash.h> 36 37 … … 57 58 class XMLParserContext : public RefCounted<XMLParserContext> { 58 59 public: 59 static PassRefPtr<XMLParserContext> createMemoryParser(xmlSAXHandlerPtr, void* , const char*);60 static PassRefPtr<XMLParserContext> createStringParser(xmlSAXHandlerPtr, void* );60 static PassRefPtr<XMLParserContext> createMemoryParser(xmlSAXHandlerPtr, void* userData, const CString& chunk); 61 static PassRefPtr<XMLParserContext> createStringParser(xmlSAXHandlerPtr, void* userData); 61 62 ~XMLParserContext(); 62 63 xmlParserCtxtPtr context() const { return m_context; } … … 161 162 #endif 162 163 private: 163 void initializeParserContext(const char* chunk = 0);164 void initializeParserContext(const CString& chunk = CString()); 164 165 165 166 void pushCurrentNode(ContainerNode*); -
trunk/Source/WebCore/dom/XMLDocumentParserLibxml2.cpp
r87098 r89118 502 502 503 503 // Chunk should be encoded in UTF-8 504 PassRefPtr<XMLParserContext> XMLParserContext::createMemoryParser(xmlSAXHandlerPtr handlers, void* userData, const char*chunk)504 PassRefPtr<XMLParserContext> XMLParserContext::createMemoryParser(xmlSAXHandlerPtr handlers, void* userData, const CString& chunk) 505 505 { 506 506 if (!didInit) { … … 512 512 } 513 513 514 xmlParserCtxtPtr parser = xmlCreateMemoryParserCtxt(chunk, xmlStrlen((const xmlChar*)chunk)); 514 // appendFragmentSource() checks that the length doesn't overflow an int. 515 xmlParserCtxtPtr parser = xmlCreateMemoryParserCtxt(chunk.data(), chunk.length()); 515 516 516 517 if (!parser) … … 1277 1278 } 1278 1279 1279 void XMLDocumentParser::initializeParserContext(const char*chunk)1280 void XMLDocumentParser::initializeParserContext(const CString& chunk) 1280 1281 { 1281 1282 xmlSAXHandler sax; … … 1309 1310 m_context = XMLParserContext::createMemoryParser(&sax, this, chunk); 1310 1311 else { 1311 ASSERT(!chunk );1312 ASSERT(!chunk.data()); 1312 1313 m_context = XMLParserContext::createStringParser(&sax, this); 1313 1314 } … … 1444 1445 1445 1446 CString chunkAsUtf8 = chunk.utf8(); 1446 initializeParserContext(chunkAsUtf8.data()); 1447 1448 // libxml2 takes an int for a length, and therefore can't handle XML chunks larger than 2 GiB. 1449 if (chunkAsUtf8.length() > INT_MAX) 1450 return false; 1451 1452 initializeParserContext(chunkAsUtf8); 1447 1453 xmlParseContent(context()); 1448 1454 endDocument(); // Close any open text nodes. … … 1453 1459 long bytesProcessed = xmlByteConsumed(context()); 1454 1460 if (bytesProcessed == -1 || ((unsigned long)bytesProcessed) != chunkAsUtf8.length()) { 1455 // FIXME: I don't believe we can hit this case without also having seen an error .1461 // FIXME: I don't believe we can hit this case without also having seen an error or a null byte. 1456 1462 // If we hit this ASSERT, we've found a test case which demonstrates the need for this code. 1457 ASSERT(m_sawError );1463 ASSERT(m_sawError || (bytesProcessed >= 0 && !chunkAsUtf8.data()[bytesProcessed])); 1458 1464 return false; 1459 1465 }
Note: See TracChangeset
for help on using the changeset viewer.