Changeset 89118 in webkit


Ignore:
Timestamp:
Jun 16, 2011 10:54:14 PM (13 years ago)
Author:
commit-queue@webkit.org
Message:

2011-06-16 Jeffrey Pfau <jpfau@apple.com>

Reviewed by Alexey Proskuryakov.

Using null bytes when setting innerHTML in XTHML results in assertion and a crash due to null-pointer dereference
https://bugs.webkit.org/show_bug.cgi?id=61053

Added test cases covering two cases of using innerHTML with null bytes in XHTML.

  • fast/parser/xhtml-innerhtml-null-byte-expected.txt: Added.
  • fast/parser/xhtml-innerhtml-null-byte-first-expected.txt: Added.
  • fast/parser/xhtml-innerhtml-null-byte-first.xhtml: Added.
  • fast/parser/xhtml-innerhtml-null-byte.xhtml: Added.

2011-06-16 Jeffrey Pfau <jpfau@apple.com>

Reviewed by Alexey Proskuryakov.

Using null bytes when setting innerHTML in XTHML results in assertion and a crash due to null-pointer dereference
https://bugs.webkit.org/show_bug.cgi?id=61053

XML parsing in-memory XML chunks now passes around a string object instead of a C string, ensuring null characters are properly handled.

Tests: fast/parser/xhtml-innerhtml-null-byte-first.xhtml

fast/parser/xhtml-innerhtml-null-byte.xhtml

  • dom/XMLDocumentParser.h:
  • dom/XMLDocumentParserLibxml2.cpp: (WebCore::XMLParserContext::createMemoryParser): (WebCore::XMLDocumentParser::initializeParserContext): (WebCore::XMLDocumentParser::appendFragmentSource):
Location:
trunk
Files:
4 added
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r89117 r89118  
     12011-06-16  Jeffrey Pfau  <jpfau@apple.com>
     2
     3        Reviewed by Alexey Proskuryakov.
     4
     5        Using null bytes when setting innerHTML in XTHML results in assertion and a crash due to null-pointer dereference
     6        https://bugs.webkit.org/show_bug.cgi?id=61053
     7
     8        Added test cases covering two cases of using innerHTML with null bytes in XHTML.
     9
     10        * fast/parser/xhtml-innerhtml-null-byte-expected.txt: Added.
     11        * fast/parser/xhtml-innerhtml-null-byte-first-expected.txt: Added.
     12        * fast/parser/xhtml-innerhtml-null-byte-first.xhtml: Added.
     13        * fast/parser/xhtml-innerhtml-null-byte.xhtml: Added.
     14
    1152011-06-16  Yuta Kitamura  <yutak@chromium.org>
    216

  • trunk/Source/WebCore/ChangeLog

    r89115 r89118  
     12011-06-16  Jeffrey Pfau  <jpfau@apple.com>
     2
     3        Reviewed by Alexey Proskuryakov.
     4
     5        Using null bytes when setting innerHTML in XTHML results in assertion and a crash due to null-pointer dereference
     6        https://bugs.webkit.org/show_bug.cgi?id=61053
     7
     8        XML parsing in-memory XML chunks now passes around a string object instead of a C string, ensuring null characters are properly handled.
     9
     10        Tests: fast/parser/xhtml-innerhtml-null-byte-first.xhtml
     11               fast/parser/xhtml-innerhtml-null-byte.xhtml
     12
     13        * dom/XMLDocumentParser.h:
     14        * dom/XMLDocumentParserLibxml2.cpp:
     15        (WebCore::XMLParserContext::createMemoryParser):
     16        (WebCore::XMLDocumentParser::initializeParserContext):
     17        (WebCore::XMLDocumentParser::appendFragmentSource):
     18
    1192011-06-16  Robin Dunn  <robin@alldunn.com>
    220

  • trunk/Source/WebCore/dom/XMLDocumentParser.h

    r86921 r89118  
    3333#include <wtf/HashMap.h>
    3434#include <wtf/OwnPtr.h>
     35#include <wtf/text/CString.h>
    3536#include <wtf/text/StringHash.h>
    3637
     
    5758    class XMLParserContext : public RefCounted<XMLParserContext> {
    5859    public:
    59         static PassRefPtr<XMLParserContext> createMemoryParser(xmlSAXHandlerPtr, void*, const char*);
    60         static PassRefPtr<XMLParserContext> createStringParser(xmlSAXHandlerPtr, void*);
     60        static PassRefPtr<XMLParserContext> createMemoryParser(xmlSAXHandlerPtr, void* userData, const CString& chunk);
     61        static PassRefPtr<XMLParserContext> createStringParser(xmlSAXHandlerPtr, void* userData);
    6162        ~XMLParserContext();
    6263        xmlParserCtxtPtr context() const { return m_context; }
     
    161162#endif
    162163    private:
    163         void initializeParserContext(const char* chunk = 0);
     164        void initializeParserContext(const CString& chunk = CString());
    164165
    165166        void pushCurrentNode(ContainerNode*);

  • trunk/Source/WebCore/dom/XMLDocumentParserLibxml2.cpp

    r87098 r89118  
    502502
    503503// Chunk should be encoded in UTF-8
    504 PassRefPtr<XMLParserContext> XMLParserContext::createMemoryParser(xmlSAXHandlerPtr handlers, void* userData, const char* chunk)
     504PassRefPtr<XMLParserContext> XMLParserContext::createMemoryParser(xmlSAXHandlerPtr handlers, void* userData, const CString& chunk)
    505505{
    506506    if (!didInit) {
     
    512512    }
    513513
    514     xmlParserCtxtPtr parser = xmlCreateMemoryParserCtxt(chunk, xmlStrlen((const xmlChar*)chunk));
     514    // appendFragmentSource() checks that the length doesn't overflow an int.
     515    xmlParserCtxtPtr parser = xmlCreateMemoryParserCtxt(chunk.data(), chunk.length());
    515516
    516517    if (!parser)
     
    12771278}
    12781279
    1279 void XMLDocumentParser::initializeParserContext(const char* chunk)
     1280void XMLDocumentParser::initializeParserContext(const CString& chunk)
    12801281{
    12811282    xmlSAXHandler sax;
     
    13091310        m_context = XMLParserContext::createMemoryParser(&sax, this, chunk);
    13101311    else {
    1311         ASSERT(!chunk);
     1312        ASSERT(!chunk.data());
    13121313        m_context = XMLParserContext::createStringParser(&sax, this);
    13131314    }
     
    14441445
    14451446    CString chunkAsUtf8 = chunk.utf8();
    1446     initializeParserContext(chunkAsUtf8.data());
     1447   
     1448    // libxml2 takes an int for a length, and therefore can't handle XML chunks larger than 2 GiB.
     1449    if (chunkAsUtf8.length() > INT_MAX)
     1450        return false;
     1451
     1452    initializeParserContext(chunkAsUtf8);
    14471453    xmlParseContent(context());
    14481454    endDocument(); // Close any open text nodes.
     
    14531459    long bytesProcessed = xmlByteConsumed(context());
    14541460    if (bytesProcessed == -1 || ((unsigned long)bytesProcessed) != chunkAsUtf8.length()) {
    1455         // FIXME: I don't believe we can hit this case without also having seen an error.
     1461        // FIXME: I don't believe we can hit this case without also having seen an error or a null byte.
    14561462        // If we hit this ASSERT, we've found a test case which demonstrates the need for this code.
    1457         ASSERT(m_sawError);
     1463        ASSERT(m_sawError || (bytesProcessed >= 0 && !chunkAsUtf8.data()[bytesProcessed]));
    14581464        return false;
    14591465    }
Note: See TracChangeset for help on using the changeset viewer.