Diff
Modified: trunk/LayoutTests/ChangeLog (245027 => 245028)
--- trunk/LayoutTests/ChangeLog 2019-05-07 20:29:17 UTC (rev 245027)
+++ trunk/LayoutTests/ChangeLog 2019-05-07 20:30:37 UTC (rev 245028)
@@ -1,3 +1,19 @@
+2019-05-07 Brent Fulgham <bfulg...@apple.com>
+
+ Correct JSON parser to address unterminated escape character
+ https://bugs.webkit.org/show_bug.cgi?id=197582
+ <rdar://problem/50459177>
+
+ Reviewed by Alex Christensen.
+
+ * applicationmanifest/display-mode-bad-manifest-expected.txt:
+ * applicationmanifest/display-mode-bad-manifest.html:
+ * applicationmanifest/resources/bad.manifest: Added.
+ * js/resources/JSON-parse.js: Add test case for unterminated escape.
+ * js/dom/JSON-parse-expected.txt: Add new test case.
+ * TestWebKitAPI/Tests/WTF/JSONValue.cpp: Add new false test case
+ for unterminated escape character.
+
2019-05-07 John Wilander <wilan...@apple.com>
Storage Access API: Make two changes requested by developers and complete refactoring and cleanup
Added: trunk/LayoutTests/applicationmanifest/display-mode-bad-manifest-expected.txt (0 => 245028)
--- trunk/LayoutTests/applicationmanifest/display-mode-bad-manifest-expected.txt (rev 0)
+++ trunk/LayoutTests/applicationmanifest/display-mode-bad-manifest-expected.txt 2019-05-07 20:30:37 UTC (rev 245028)
@@ -0,0 +1 @@
+(display-mode) (display-mode: browser)
Added: trunk/LayoutTests/applicationmanifest/display-mode-bad-manifest.html (0 => 245028)
--- trunk/LayoutTests/applicationmanifest/display-mode-bad-manifest.html (rev 0)
+++ trunk/LayoutTests/applicationmanifest/display-mode-bad-manifest.html 2019-05-07 20:30:37 UTC (rev 245028)
@@ -0,0 +1,32 @@
+<!-- webkit-test-runner [ applicationManifest=resources/bad.manifest ] -->
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<style>
+div { display: none; }
+@media (display-mode) {
+ .display-mode-null { display: inline; }
+}
+@media (display-mode: browser) {
+ .display-mode-browser { display: inline; }
+}
+@media (display-mode: minimal-ui) {
+ .display-mode-minimal-ui { display: inline; }
+}
+@media (display-mode: standalone) {
+ .display-mode-standalone { display: inline; }
+}
+@media (display-mode: fullscreen) {
+ .display-mode-fullscreen { display: inline; }
+}
+@media (display-mode: invalid-value) {
+ .display-mode-invalid-value { display: inline; }
+}
+</style>
+<div class="display-mode-null">(display-mode)</div>
+<div class="display-mode-browser">(display-mode: browser)</div>
+<div class="display-mode-minimal-ui">(display-mode: minimal-ui)</div>
+<div class="display-mode-standalone">(display-mode: standalone)</div>
+<div class="display-mode-fullscreen">(display-mode: fullscreen)</div>
+<div class="display-mode-invalid-value">(display-mode: invalid-value)</div>
\ No newline at end of file
Added: trunk/LayoutTests/applicationmanifest/resources/bad.manifest (0 => 245028)
--- trunk/LayoutTests/applicationmanifest/resources/bad.manifest (rev 0)
+++ trunk/LayoutTests/applicationmanifest/resources/bad.manifest 2019-05-07 20:30:37 UTC (rev 245028)
@@ -0,0 +1 @@
+"\
\ No newline at end of file
Modified: trunk/LayoutTests/js/dom/JSON-parse-expected.txt (245027 => 245028)
--- trunk/LayoutTests/js/dom/JSON-parse-expected.txt 2019-05-07 20:29:17 UTC (rev 245027)
+++ trunk/LayoutTests/js/dom/JSON-parse-expected.txt 2019-05-07 20:30:37 UTC (rev 245028)
@@ -348,6 +348,10 @@
}
PASS JSON.stringify(tests[i](nativeJSON)) is JSON.stringify(tests[i](JSON))
function (jsonObject){
+ return jsonObject.parse('\\')
+ }
+PASS tests[i](nativeJSON) threw exception SyntaxError: JSON Parse error: Unrecognized token '\'.
+function (jsonObject){
return jsonObject.parse(JSON.stringify(simpleObject));
}
PASS JSON.stringify(tests[i](nativeJSON)) is tests[i].expected
Modified: trunk/LayoutTests/js/resources/JSON-parse.js (245027 => 245028)
--- trunk/LayoutTests/js/resources/JSON-parse.js 2019-05-07 20:29:17 UTC (rev 245027)
+++ trunk/LayoutTests/js/resources/JSON-parse.js 2019-05-07 20:30:37 UTC (rev 245028)
@@ -308,6 +308,10 @@
result.push(function(jsonObject){
return jsonObject.parse('false');
});
+ result.push(function(jsonObject){
+ return jsonObject.parse('\\')
+ });
+ result[result.length - 1].throws = true;
var simpleArray = ['a', 'b', 'c'];
var simpleObject = {a:"1", b:"2", c:"3"};
var complexArray = ['a', 'b', 'c',,,simpleObject, simpleArray, [simpleObject,simpleArray]];
Modified: trunk/Source/WTF/ChangeLog (245027 => 245028)
--- trunk/Source/WTF/ChangeLog 2019-05-07 20:29:17 UTC (rev 245027)
+++ trunk/Source/WTF/ChangeLog 2019-05-07 20:30:37 UTC (rev 245028)
@@ -1,3 +1,18 @@
+2019-05-07 Brent Fulgham <bfulg...@apple.com>
+
+ Correct JSON parser to address unterminated escape character
+ https://bugs.webkit.org/show_bug.cgi?id=197582
+ <rdar://problem/50459177>
+
+ Reviewed by Alex Christensen.
+
+ Correct JSON parser code to properly deal with unterminated escape
+ characters.
+
+ * wtf/JSONValues.cpp:
+ (WTF::JSONImpl::decodeString):
+ (WTF::JSONImpl::parseStringToken):
+
2019-05-07 Alex Christensen <achristen...@webkit.org>
Add a release assertion that Functions can only be constructed from non-null CompletionHandlers
Modified: trunk/Source/WTF/wtf/JSONValues.cpp (245027 => 245028)
--- trunk/Source/WTF/wtf/JSONValues.cpp 2019-05-07 20:29:17 UTC (rev 245027)
+++ trunk/Source/WTF/wtf/JSONValues.cpp 2019-05-07 20:30:37 UTC (rev 245028)
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2010 Google Inc. All rights reserved.
* Copyright (C) 2014 University of Washington. All rights reserved.
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
@@ -163,7 +163,7 @@
{
while (start < end) {
UChar c = *start++;
- if ('\\' == c) {
+ if ('\\' == c && start < end) {
c = *start++;
// Make sure the escaped char is valid.
switch (c) {
@@ -269,6 +269,8 @@
output.append(c);
continue;
}
+ if (UNLIKELY(start >= end))
+ return false;
c = *start++;
switch (c) {
case '"':
@@ -294,10 +296,14 @@
c = '\v';
break;
case 'x':
+ if (UNLIKELY(start + 1 >= end))
+ return false;
c = toASCIIHexValue(start[0], start[1]);
start += 2;
break;
case 'u':
+ if (UNLIKELY(start + 3 >= end))
+ return false;
c = toASCIIHexValue(start[0], start[1]) << 8 | toASCIIHexValue(start[2], start[3]);
start += 4;
break;
Modified: trunk/Tools/TestWebKitAPI/Tests/WTF/JSONValue.cpp (245027 => 245028)
--- trunk/Tools/TestWebKitAPI/Tests/WTF/JSONValue.cpp 2019-05-07 20:29:17 UTC (rev 245027)
+++ trunk/Tools/TestWebKitAPI/Tests/WTF/JSONValue.cpp 2019-05-07 20:30:37 UTC (rev 245028)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -655,10 +655,25 @@
EXPECT_TRUE(JSON::Value::parseJSON(" 1 ", value));
EXPECT_TRUE(JSON::Value::parseJSON(" {} ", value));
EXPECT_TRUE(JSON::Value::parseJSON(" [] ", value));
+ EXPECT_TRUE(JSON::Value::parseJSON("\"\\xFF\"", value));
+ EXPECT_TRUE(JSON::Value::parseJSON("\"\\u1234\"", value));
EXPECT_FALSE(JSON::Value::parseJSON("1 1", value));
EXPECT_FALSE(JSON::Value::parseJSON("{} {}", value));
EXPECT_FALSE(JSON::Value::parseJSON("[] []", value));
+ EXPECT_FALSE(JSON::Value::parseJSON("\"\\", value));
+ EXPECT_FALSE(JSON::Value::parseJSON("\"\\xF", value));
+ EXPECT_FALSE(JSON::Value::parseJSON("\"\\xF\"", value));
+ EXPECT_FALSE(JSON::Value::parseJSON("\"\\xF \"", value));
+ EXPECT_FALSE(JSON::Value::parseJSON("\"\\u1", value));
+ EXPECT_FALSE(JSON::Value::parseJSON("\"\\u1\"", value));
+ EXPECT_FALSE(JSON::Value::parseJSON("\"\\u1 \"", value));
+ EXPECT_FALSE(JSON::Value::parseJSON("\"\\u12", value));
+ EXPECT_FALSE(JSON::Value::parseJSON("\"\\u12\"", value));
+ EXPECT_FALSE(JSON::Value::parseJSON("\"\\u12 \"", value));
+ EXPECT_FALSE(JSON::Value::parseJSON("\"\\u123", value));
+ EXPECT_FALSE(JSON::Value::parseJSON("\"\\u123\"", value));
+ EXPECT_FALSE(JSON::Value::parseJSON("\"\\u123 \"", value));
}
}