[webkit-changes] [93561] trunk

Mon, 22 Aug 2011 16:52:46 -0700

Title: [93561] trunk
Revision
93561
Author
[email protected]
Date
2011-08-22 16:52:37 -0700 (Mon, 22 Aug 2011)

Log Message

HTMLSourceTracker crashes when network packets break poorly
https://bugs.webkit.org/show_bug.cgi?id=66728

Reviewed by Darin Adler.

Source/WebCore:

If there is a network packet boundary in the middle of an attribute
that begins with the letters "on", then the HTMLSourceTracker will get
confused and try to extract too many characters from future input.  If
the future input is small enough, that will walk off the end of the
input and crash.

Test: http/tests/security/xssAuditor/crash-while-loading-tag-with-pause.html

* html/parser/HTMLSourceTracker.cpp:
(WebCore::HTMLSourceTracker::sourceForToken):

LayoutTests:

Test that we don't crash when we get a bad network packet boundary.

* http/tests/security/xssAuditor/crash-while-loading-tag-with-pause-expected.txt: Added.
* http/tests/security/xssAuditor/crash-while-loading-tag-with-pause.html: Added.
* http/tests/security/xssAuditor/resources/tag-with-pause.php: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (93560 => 93561)


--- trunk/LayoutTests/ChangeLog	2011-08-22 23:41:20 UTC (rev 93560)
+++ trunk/LayoutTests/ChangeLog	2011-08-22 23:52:37 UTC (rev 93561)
@@ -1,3 +1,16 @@
+2011-08-22  Adam Barth  <[email protected]>
+
+        HTMLSourceTracker crashes when network packets break poorly
+        https://bugs.webkit.org/show_bug.cgi?id=66728
+
+        Reviewed by Darin Adler.
+
+        Test that we don't crash when we get a bad network packet boundary.
+
+        * http/tests/security/xssAuditor/crash-while-loading-tag-with-pause-expected.txt: Added.
+        * http/tests/security/xssAuditor/crash-while-loading-tag-with-pause.html: Added.
+        * http/tests/security/xssAuditor/resources/tag-with-pause.php: Added.
+
 2011-08-22  Peter Kasting  <[email protected]>
 
         Unreviewed, rolling out r93538.

Added: trunk/LayoutTests/http/tests/security/xssAuditor/crash-while-loading-tag-with-pause-expected.txt (0 => 93561)


--- trunk/LayoutTests/http/tests/security/xssAuditor/crash-while-loading-tag-with-pause-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/crash-while-loading-tag-with-pause-expected.txt	2011-08-22 23:52:37 UTC (rev 93561)
@@ -0,0 +1,2 @@
+This test passes if it doesn't crash.
+

Added: trunk/LayoutTests/http/tests/security/xssAuditor/crash-while-loading-tag-with-pause.html (0 => 93561)


--- trunk/LayoutTests/http/tests/security/xssAuditor/crash-while-loading-tag-with-pause.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/crash-while-loading-tag-with-pause.html	2011-08-22 23:52:37 UTC (rev 93561)
@@ -0,0 +1,8 @@
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+This test passes if it doesn't crash.<br>
+<iframe src=""

Added: trunk/LayoutTests/http/tests/security/xssAuditor/resources/tag-with-pause.php (0 => 93561)


--- trunk/LayoutTests/http/tests/security/xssAuditor/resources/tag-with-pause.php	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/resources/tag-with-pause.php	2011-08-22 23:52:37 UTC (rev 93561)
@@ -0,0 +1,18 @@
+<?
+header("Content-Type: text/html; charset=utf-8");
+?>
+<!-- <?php
+# Spam a bunch of As to make sure we blow past any buffers.
+print str_repeat("A", 2048);
+?> -->
+<body>
+<?php
+print "<a ona";
+print str_repeat("a", 2000);
+
+flush();
+usleep(200000);
+
+print "click=alert(1) ttt>";
+?>
+Done.

Modified: trunk/Source/WebCore/ChangeLog (93560 => 93561)


--- trunk/Source/WebCore/ChangeLog	2011-08-22 23:41:20 UTC (rev 93560)
+++ trunk/Source/WebCore/ChangeLog	2011-08-22 23:52:37 UTC (rev 93561)
@@ -1,3 +1,21 @@
+2011-08-22  Adam Barth  <[email protected]>
+
+        HTMLSourceTracker crashes when network packets break poorly
+        https://bugs.webkit.org/show_bug.cgi?id=66728
+
+        Reviewed by Darin Adler.
+
+        If there is a network packet boundary in the middle of an attribute
+        that begins with the letters "on", then the HTMLSourceTracker will get
+        confused and try to extract too many characters from future input.  If
+        the future input is small enough, that will walk off the end of the
+        input and crash.
+
+        Test: http/tests/security/xssAuditor/crash-while-loading-tag-with-pause.html
+
+        * html/parser/HTMLSourceTracker.cpp:
+        (WebCore::HTMLSourceTracker::sourceForToken):
+
 2011-08-22  Eric Seidel  <[email protected]>
 
         Attempt to clean up bidiNext usage

Modified: trunk/Source/WebCore/html/parser/HTMLSourceTracker.cpp (93560 => 93561)


--- trunk/Source/WebCore/html/parser/HTMLSourceTracker.cpp	2011-08-22 23:41:20 UTC (rev 93560)
+++ trunk/Source/WebCore/html/parser/HTMLSourceTracker.cpp	2011-08-22 23:52:37 UTC (rev 93561)
@@ -60,6 +60,7 @@
     StringBuilder source;
     source.reserveCapacity(length);
     source.append(m_sourceFromPreviousSegments);
+    length -= m_sourceFromPreviousSegments.length();
     for (int i = 0; i < length; ++i) {
         source.append(*m_source);
         m_source.advance();

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to