Title: [279370] trunk
- Revision
- 279370
- Author
- [email protected]
- Date
- 2021-06-29 02:38:57 -0700 (Tue, 29 Jun 2021)
Log Message
Crash in SharedBuffer::data
https://bugs.webkit.org/show_bug.cgi?id=227173
Patch by Rob Buis <[email protected]> on 2021-06-29
Reviewed by Ryosuke Niwa.
Source/WebCore:
Null check data in openFunc.
Test: fast/xsl/xslt-transformToDocument-crash.html
* xml/parser/XMLDocumentParserLibxml2.cpp:
(WebCore::openFunc):
LayoutTests:
* fast/xsl/xslt-transformToDocument-crash-expected.txt: Added.
* fast/xsl/xslt-transformToDocument-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (279369 => 279370)
--- trunk/LayoutTests/ChangeLog 2021-06-29 09:12:31 UTC (rev 279369)
+++ trunk/LayoutTests/ChangeLog 2021-06-29 09:38:57 UTC (rev 279370)
@@ -1,3 +1,13 @@
+2021-06-29 Rob Buis <[email protected]>
+
+ Crash in SharedBuffer::data
+ https://bugs.webkit.org/show_bug.cgi?id=227173
+
+ Reviewed by Ryosuke Niwa.
+
+ * fast/xsl/xslt-transformToDocument-crash-expected.txt: Added.
+ * fast/xsl/xslt-transformToDocument-crash.html: Added.
+
2021-06-29 Martin Robinson <[email protected]>
CSS scroll snap should allow scrolling to the middle of snap areas that overflow the snapport
Added: trunk/LayoutTests/fast/xsl/xslt-transformToDocument-crash-expected.txt (0 => 279370)
--- trunk/LayoutTests/fast/xsl/xslt-transformToDocument-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/xsl/xslt-transformToDocument-crash-expected.txt 2021-06-29 09:38:57 UTC (rev 279370)
@@ -0,0 +1 @@
+Test passes if it does not crash
Added: trunk/LayoutTests/fast/xsl/xslt-transformToDocument-crash.html (0 => 279370)
--- trunk/LayoutTests/fast/xsl/xslt-transformToDocument-crash.html (rev 0)
+++ trunk/LayoutTests/fast/xsl/xslt-transformToDocument-crash.html 2021-06-29 09:38:57 UTC (rev 279370)
@@ -0,0 +1,20 @@
+<script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+ const processor = new XSLTProcessor();
+ const style =
+ '<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0" xmlns="http://www.w3.org/1999/xhtml">' +
+ '</xsl:stylesheet>';
+ const styleDoc = new DOMParser().parseFromString (style, "text/xml");
+ const data =
+ '<!DOCTYPE wml PUBLIC "-//WAPFORUM//DTD WML 1.1//EN" "http://www.wapforum.org/DTD/wml_1.1.xml">' +
+ '<wml><card><p>paragraph</p></card></wml>';
+ const originalDoc = new DOMParser().parseFromString(data, "text/xml");
+ processor.importStylesheet(styleDoc);
+ processor.transformToDocument(originalDoc);
+ if (window.testRunner)
+ testRunner.notifyDone();
+</script>
+<p>Test passes if it does not crash</p>
Modified: trunk/Source/WebCore/ChangeLog (279369 => 279370)
--- trunk/Source/WebCore/ChangeLog 2021-06-29 09:12:31 UTC (rev 279369)
+++ trunk/Source/WebCore/ChangeLog 2021-06-29 09:38:57 UTC (rev 279370)
@@ -1,3 +1,17 @@
+2021-06-29 Rob Buis <[email protected]>
+
+ Crash in SharedBuffer::data
+ https://bugs.webkit.org/show_bug.cgi?id=227173
+
+ Reviewed by Ryosuke Niwa.
+
+ Null check data in openFunc.
+
+ Test: fast/xsl/xslt-transformToDocument-crash.html
+
+ * xml/parser/XMLDocumentParserLibxml2.cpp:
+ (WebCore::openFunc):
+
2021-06-29 Kimmo Kinnunen <[email protected]>
OES_texture_float should implicitly enable EXT_float_blend
Modified: trunk/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp (279369 => 279370)
--- trunk/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp 2021-06-29 09:12:31 UTC (rev 279369)
+++ trunk/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp 2021-06-29 09:38:57 UTC (rev 279370)
@@ -489,6 +489,9 @@
}
}
+ if (!data)
+ return &globalDescriptor;
+
return new OffsetBuffer({ data->data(), data->size() });
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes