Changeset 93561 in webkit

Timestamp:

Aug 22, 2011 4:52:37 PM (13 years ago)

Author:

abarth@webkit.org

Message:

HTMLSourceTracker crashes when network packets break poorly
​https://bugs.webkit.org/show_bug.cgi?id=66728

Reviewed by Darin Adler.

Source/WebCore:

If there is a network packet boundary in the middle of an attribute
that begins with the letters "on", then the HTMLSourceTracker will get
confused and try to extract too many characters from future input. If
the future input is small enough, that will walk off the end of the
input and crash.

Test: http/tests/security/xssAuditor/crash-while-loading-tag-with-pause.html

• html/parser/HTMLSourceTracker.cpp:

(WebCore::HTMLSourceTracker::sourceForToken):

LayoutTests:

Test that we don't crash when we get a bad network packet boundary.

• http/tests/security/xssAuditor/crash-while-loading-tag-with-pause-expected.txt: Added.
• http/tests/security/xssAuditor/crash-while-loading-tag-with-pause.html: Added.
• http/tests/security/xssAuditor/resources/tag-with-pause.php: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/crash-while-loading-tag-with-pause-expected.txt (added)
• LayoutTests/http/tests/security/xssAuditor/crash-while-loading-tag-with-pause.html (added)
• LayoutTests/http/tests/security/xssAuditor/resources/tag-with-pause.php (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/html/parser/HTMLSourceTracker.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-08-22  Adam Barth  <abarth@webkit.org>
+
+        HTMLSourceTracker crashes when network packets break poorly
+        https://bugs.webkit.org/show_bug.cgi?id=66728
+
+        Reviewed by Darin Adler.
+
+        Test that we don't crash when we get a bad network packet boundary.
+
+        * http/tests/security/xssAuditor/crash-while-loading-tag-with-pause-expected.txt: Added.
+        * http/tests/security/xssAuditor/crash-while-loading-tag-with-pause.html: Added.
+        * http/tests/security/xssAuditor/resources/tag-with-pause.php: Added.
+
 2011-08-22  Peter Kasting  <pkasting@google.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-08-22  Adam Barth  <abarth@webkit.org>
+
+        HTMLSourceTracker crashes when network packets break poorly
+        https://bugs.webkit.org/show_bug.cgi?id=66728
+
+        Reviewed by Darin Adler.
+
+        If there is a network packet boundary in the middle of an attribute
+        that begins with the letters "on", then the HTMLSourceTracker will get
+        confused and try to extract too many characters from future input.  If
+        the future input is small enough, that will walk off the end of the
+        input and crash.
+
+        Test: http/tests/security/xssAuditor/crash-while-loading-tag-with-pause.html
+
+        * html/parser/HTMLSourceTracker.cpp:
+        (WebCore::HTMLSourceTracker::sourceForToken):
+
 2011-08-22  Eric Seidel  <eric@webkit.org>
 

trunk/Source/WebCore/html/parser/HTMLSourceTracker.cpp

@@ -61 +61 @@
     source.reserveCapacity(length);
     source.append(m_sourceFromPreviousSegments);
+    length -= m_sourceFromPreviousSegments.length();
     for (int i = 0; i < length; ++i) {
         source.append(*m_source);