[webkit-changes] [289185] releases/WebKitGTK/webkit-2.34

Sun, 06 Feb 2022 15:46:06 -0800

Title: [289185] releases/WebKitGTK/webkit-2.34
Revision
289185
Author
[email protected]
Date
2022-02-06 15:45:17 -0800 (Sun, 06 Feb 2022)

Log Message

Merge r288589 - XPath::Step::nodesInAxis(): add null checks after Attr::ownerElement() calls
https://bugs.webkit.org/show_bug.cgi?id=235500

Reviewed by Darin Adler.

LayoutTests/imported/w3c:

Import WPT tests from https://github.com/web-platform-tests/wpt/pull/32544.

* web-platform-tests/domxpath/xpath-evaluate-crash-expected.txt: Added.
* web-platform-tests/domxpath/xpath-evaluate-crash.html: Added.

Source/WebCore:

This patch adds null checks for results of Attr::ownerElement() to avoid crashes
when evaluating XPath expressions with an orphaned Attr as the context node.

Inspired by the recent Blink fix [1], yet this change covers all null pointer
dereferencing sites, as proven by the updated test.

[1] https://bugs.chromium.org/p/chromium/issues/detail?id=1236967

Test: imported/w3c/web-platform-tests/domxpath/xpath-evaluate-crash.html

* xml/XPathStep.cpp:
(WebCore::XPath::Step::nodesInAxis const):

Modified Paths

Added Paths

Diff

Modified: releases/WebKitGTK/webkit-2.34/LayoutTests/imported/w3c/ChangeLog (289184 => 289185)


--- releases/WebKitGTK/webkit-2.34/LayoutTests/imported/w3c/ChangeLog	2022-02-06 23:42:59 UTC (rev 289184)
+++ releases/WebKitGTK/webkit-2.34/LayoutTests/imported/w3c/ChangeLog	2022-02-06 23:45:17 UTC (rev 289185)
@@ -1,3 +1,15 @@
+2022-01-25  Alexey Shvayka  <[email protected]>
+
+        XPath::Step::nodesInAxis(): add null checks after Attr::ownerElement() calls
+        https://bugs.webkit.org/show_bug.cgi?id=235500
+
+        Reviewed by Darin Adler.
+
+        Import WPT tests from https://github.com/web-platform-tests/wpt/pull/32544.
+
+        * web-platform-tests/domxpath/xpath-evaluate-crash-expected.txt: Added.
+        * web-platform-tests/domxpath/xpath-evaluate-crash.html: Added.
+
 2022-01-21  Antti Koivisto  <[email protected]>
 
         WPT version of css/css-cascade/parsing/layer-import-parsing.html crashes with nullptr

Added: releases/WebKitGTK/webkit-2.34/LayoutTests/imported/w3c/web-platform-tests/domxpath/xpath-evaluate-crash-expected.txt (0 => 289185)


--- releases/WebKitGTK/webkit-2.34/LayoutTests/imported/w3c/web-platform-tests/domxpath/xpath-evaluate-crash-expected.txt	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.34/LayoutTests/imported/w3c/web-platform-tests/domxpath/xpath-evaluate-crash-expected.txt	2022-02-06 23:45:17 UTC (rev 289185)
@@ -0,0 +1,3 @@
+
+PASS Evaluating XPath expressions with orhpaned Attr as context node doesn't crash
+

Added: releases/WebKitGTK/webkit-2.34/LayoutTests/imported/w3c/web-platform-tests/domxpath/xpath-evaluate-crash.html (0 => 289185)


--- releases/WebKitGTK/webkit-2.34/LayoutTests/imported/w3c/web-platform-tests/domxpath/xpath-evaluate-crash.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.34/LayoutTests/imported/w3c/web-platform-tests/domxpath/xpath-evaluate-crash.html	2022-02-06 23:45:17 UTC (rev 289185)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>Evaluating XPath expressions with orhpaned Attr as context node doesn't crash</title>
+<link rel=author href=""
+<link rel=help href=""
+<script src=""
+<script src=""
+<body>
+<script>
+test(() => {
+for (const _expression_ of [
+    "..",
+    "parent",
+    "ancestor::*",
+    "ancestor-or-self::*",
+    "following::*",
+    "preceding::*",
+]) {
+    const orphanedAttr = document.createAttribute("foo");
+    new XPathEvaluator().evaluate(_expression_, orphanedAttr, null, 2);
+}
+});
+</script>

Modified: releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog (289184 => 289185)


--- releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog	2022-02-06 23:42:59 UTC (rev 289184)
+++ releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog	2022-02-06 23:45:17 UTC (rev 289185)
@@ -1,3 +1,23 @@
+2022-01-25  Alexey Shvayka  <[email protected]>
+
+        XPath::Step::nodesInAxis(): add null checks after Attr::ownerElement() calls
+        https://bugs.webkit.org/show_bug.cgi?id=235500
+
+        Reviewed by Darin Adler.
+
+        This patch adds null checks for results of Attr::ownerElement() to avoid crashes
+        when evaluating XPath expressions with an orphaned Attr as the context node.
+
+        Inspired by the recent Blink fix [1], yet this change covers all null pointer
+        dereferencing sites, as proven by the updated test.
+
+        [1] https://bugs.chromium.org/p/chromium/issues/detail?id=1236967
+
+        Test: imported/w3c/web-platform-tests/domxpath/xpath-evaluate-crash.html
+
+        * xml/XPathStep.cpp:
+        (WebCore::XPath::Step::nodesInAxis const):
+
 2022-01-23  Antoine Quint  <[email protected]>
 
         m_lastStyleChangeEventStyle null ptr deref for accelerated CSS Animation with no duration and an implicit keyframe

Modified: releases/WebKitGTK/webkit-2.34/Source/WebCore/xml/XPathStep.cpp (289184 => 289185)


--- releases/WebKitGTK/webkit-2.34/Source/WebCore/xml/XPathStep.cpp	2022-02-06 23:42:59 UTC (rev 289184)
+++ releases/WebKitGTK/webkit-2.34/Source/WebCore/xml/XPathStep.cpp	2022-02-06 23:45:17 UTC (rev 289185)
@@ -257,7 +257,7 @@
         case ParentAxis:
             if (context.isAttributeNode()) {
                 Element* node = static_cast<Attr&>(context).ownerElement();
-                if (nodeMatches(*node, ParentAxis, m_nodeTest))
+                if (node && nodeMatches(*node, ParentAxis, m_nodeTest))
                     nodes.append(node);
             } else {
                 ContainerNode* node = context.parentNode();
@@ -269,6 +269,8 @@
             Node* node = &context;
             if (context.isAttributeNode()) {
                 node = static_cast<Attr&>(context).ownerElement();
+                if (!node)
+                    return;
                 if (nodeMatches(*node, AncestorAxis, m_nodeTest))
                     nodes.append(node);
             }
@@ -299,6 +301,8 @@
         case FollowingAxis:
             if (context.isAttributeNode()) {
                 Node* node = static_cast<Attr&>(context).ownerElement();
+                if (!node)
+                    return;
                 while ((node = NodeTraversal::next(*node))) {
                     if (nodeMatches(*node, FollowingAxis, m_nodeTest))
                         nodes.append(node);
@@ -318,9 +322,11 @@
             return;
         case PrecedingAxis: {
             Node* node;
-            if (context.isAttributeNode())
+            if (context.isAttributeNode()) {
                 node = static_cast<Attr&>(context).ownerElement();
-            else
+                if (!node)
+                    return;
+            } else
                 node = &context;
             while (ContainerNode* parent = node->parentNode()) {
                 for (node = NodeTraversal::previous(*node); node != parent; node = NodeTraversal::previous(*node)) {
@@ -381,6 +387,8 @@
             Node* node = &context;
             if (context.isAttributeNode()) {
                 node = static_cast<Attr&>(context).ownerElement();
+                if (!node)
+                    return;
                 if (nodeMatches(*node, AncestorOrSelfAxis, m_nodeTest))
                     nodes.append(node);
             }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to