- Revision
- 288589
- Author
- [email protected]
- Date
- 2022-01-25 16:31:38 -0800 (Tue, 25 Jan 2022)
Log Message
XPath::Step::nodesInAxis(): add null checks after Attr::ownerElement() calls
https://bugs.webkit.org/show_bug.cgi?id=235500
Reviewed by Darin Adler.
LayoutTests/imported/w3c:
Import WPT tests from https://github.com/web-platform-tests/wpt/pull/32544.
* web-platform-tests/domxpath/xpath-evaluate-crash-expected.txt: Added.
* web-platform-tests/domxpath/xpath-evaluate-crash.html: Added.
Source/WebCore:
This patch adds null checks for results of Attr::ownerElement() to avoid crashes
when evaluating XPath expressions with an orphaned Attr as the context node.
Inspired by the recent Blink fix [1], yet this change covers all null pointer
dereferencing sites, as proven by the updated test.
[1] https://bugs.chromium.org/p/chromium/issues/detail?id=1236967
Test: imported/w3c/web-platform-tests/domxpath/xpath-evaluate-crash.html
* xml/XPathStep.cpp:
(WebCore::XPath::Step::nodesInAxis const):
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/imported/w3c/ChangeLog (288588 => 288589)
--- trunk/LayoutTests/imported/w3c/ChangeLog 2022-01-26 00:14:48 UTC (rev 288588)
+++ trunk/LayoutTests/imported/w3c/ChangeLog 2022-01-26 00:31:38 UTC (rev 288589)
@@ -1,3 +1,15 @@
+2022-01-25 Alexey Shvayka <[email protected]>
+
+ XPath::Step::nodesInAxis(): add null checks after Attr::ownerElement() calls
+ https://bugs.webkit.org/show_bug.cgi?id=235500
+
+ Reviewed by Darin Adler.
+
+ Import WPT tests from https://github.com/web-platform-tests/wpt/pull/32544.
+
+ * web-platform-tests/domxpath/xpath-evaluate-crash-expected.txt: Added.
+ * web-platform-tests/domxpath/xpath-evaluate-crash.html: Added.
+
2022-01-25 Antti Koivisto <[email protected]>
[CSS Container Queries] Parsing support for container shorthand property
Added: trunk/LayoutTests/imported/w3c/web-platform-tests/domxpath/xpath-evaluate-crash-expected.txt (0 => 288589)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/domxpath/xpath-evaluate-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/domxpath/xpath-evaluate-crash-expected.txt 2022-01-26 00:31:38 UTC (rev 288589)
@@ -0,0 +1,3 @@
+
+PASS Evaluating XPath expressions with orhpaned Attr as context node doesn't crash
+
Added: trunk/LayoutTests/imported/w3c/web-platform-tests/domxpath/xpath-evaluate-crash.html (0 => 288589)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/domxpath/xpath-evaluate-crash.html (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/domxpath/xpath-evaluate-crash.html 2022-01-26 00:31:38 UTC (rev 288589)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>Evaluating XPath expressions with orhpaned Attr as context node doesn't crash</title>
+<link rel=author href=""
+<link rel=help href=""
+<script src=""
+<script src=""
+<body>
+<script>
+test(() => {
+for (const _expression_ of [
+ "..",
+ "parent",
+ "ancestor::*",
+ "ancestor-or-self::*",
+ "following::*",
+ "preceding::*",
+]) {
+ const orphanedAttr = document.createAttribute("foo");
+ new XPathEvaluator().evaluate(_expression_, orphanedAttr, null, 2);
+}
+});
+</script>
Modified: trunk/Source/WebCore/ChangeLog (288588 => 288589)
--- trunk/Source/WebCore/ChangeLog 2022-01-26 00:14:48 UTC (rev 288588)
+++ trunk/Source/WebCore/ChangeLog 2022-01-26 00:31:38 UTC (rev 288589)
@@ -1,3 +1,23 @@
+2022-01-25 Alexey Shvayka <[email protected]>
+
+ XPath::Step::nodesInAxis(): add null checks after Attr::ownerElement() calls
+ https://bugs.webkit.org/show_bug.cgi?id=235500
+
+ Reviewed by Darin Adler.
+
+ This patch adds null checks for results of Attr::ownerElement() to avoid crashes
+ when evaluating XPath expressions with an orphaned Attr as the context node.
+
+ Inspired by the recent Blink fix [1], yet this change covers all null pointer
+ dereferencing sites, as proven by the updated test.
+
+ [1] https://bugs.chromium.org/p/chromium/issues/detail?id=1236967
+
+ Test: imported/w3c/web-platform-tests/domxpath/xpath-evaluate-crash.html
+
+ * xml/XPathStep.cpp:
+ (WebCore::XPath::Step::nodesInAxis const):
+
2022-01-25 Simon Fraser <[email protected]>
Fix some spelling errors in Color functions
Modified: trunk/Source/WebCore/xml/XPathStep.cpp (288588 => 288589)
--- trunk/Source/WebCore/xml/XPathStep.cpp 2022-01-26 00:14:48 UTC (rev 288588)
+++ trunk/Source/WebCore/xml/XPathStep.cpp 2022-01-26 00:31:38 UTC (rev 288589)
@@ -258,7 +258,7 @@
case ParentAxis:
if (context.isAttributeNode()) {
Element* node = static_cast<Attr&>(context).ownerElement();
- if (nodeMatches(*node, ParentAxis, m_nodeTest))
+ if (node && nodeMatches(*node, ParentAxis, m_nodeTest))
nodes.append(node);
} else {
ContainerNode* node = context.parentNode();
@@ -270,6 +270,8 @@
Node* node = &context;
if (context.isAttributeNode()) {
node = static_cast<Attr&>(context).ownerElement();
+ if (!node)
+ return;
if (nodeMatches(*node, AncestorAxis, m_nodeTest))
nodes.append(node);
}
@@ -300,6 +302,8 @@
case FollowingAxis:
if (context.isAttributeNode()) {
Node* node = static_cast<Attr&>(context).ownerElement();
+ if (!node)
+ return;
while ((node = NodeTraversal::next(*node))) {
if (nodeMatches(*node, FollowingAxis, m_nodeTest))
nodes.append(node);
@@ -319,9 +323,11 @@
return;
case PrecedingAxis: {
Node* node;
- if (context.isAttributeNode())
+ if (context.isAttributeNode()) {
node = static_cast<Attr&>(context).ownerElement();
- else
+ if (!node)
+ return;
+ } else
node = &context;
while (ContainerNode* parent = node->parentNode()) {
for (node = NodeTraversal::previous(*node); node != parent; node = NodeTraversal::previous(*node)) {
@@ -382,6 +388,8 @@
Node* node = &context;
if (context.isAttributeNode()) {
node = static_cast<Attr&>(context).ownerElement();
+ if (!node)
+ return;
if (nodeMatches(*node, AncestorOrSelfAxis, m_nodeTest))
nodes.append(node);
}
