Skip to site navigation (Press enter)

[webkit-changes] [138537] trunk

rafaelw Fri, 28 Dec 2012 08:28:49 -0800

Title: [138537] trunk

Revision: 138537
Author: [email protected]
Date: 2012-12-28 08:30:31 -0800 (Fri, 28 Dec 2012)

Log Message

Heap-use-after-free in WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement
https://bugs.webkit.org/show_bug.cgi?id=105780


Reviewed by Eric Seidel.

Source/WebCore:

This was regression was created by the HTMLTemplateElement implementation. The issue was a missed instance of
"fragment or template contents" case related to the parsing of colgroups.

* html/parser/HTMLTreeBuilder.cpp:
(WebCore::HTMLTreeBuilder::processColgroupEndTagForInColumnGroup):
(WebCore::HTMLTreeBuilder::processStartTag):
(WebCore::HTMLTreeBuilder::processCharacterBuffer):
(WebCore::HTMLTreeBuilder::processEndOfFile):

LayoutTests:

* html5lib/resources/template.dat:

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/LayoutTests/html5lib/resources/template.dat
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/html/parser/HTMLTreeBuilder.cpp

Diff

Modified: trunk/LayoutTests/ChangeLog (138536 => 138537)


--- trunk/LayoutTests/ChangeLog	2012-12-28 16:11:09 UTC (rev 138536)
+++ trunk/LayoutTests/ChangeLog	2012-12-28 16:30:31 UTC (rev 138537)
@@ -1,3 +1,12 @@
+2012-12-28  Rafael Weinstein  <[email protected]>
+
+        Heap-use-after-free in WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement
+        https://bugs.webkit.org/show_bug.cgi?id=105780
+
+        Reviewed by Eric Seidel.
+
+        * html5lib/resources/template.dat:
+
 2012-12-27  Vsevolod Vlasov  <[email protected]>
 
         Web Inspector: Introduce uri as a UISourceCode unique identifier in workspace.

Modified: trunk/LayoutTests/html5lib/resources/template.dat (138536 => 138537)


--- trunk/LayoutTests/html5lib/resources/template.dat	2012-12-28 16:11:09 UTC (rev 138536)
+++ trunk/LayoutTests/html5lib/resources/template.dat	2012-12-28 16:30:31 UTC (rev 138537)
@@ -875,3 +875,47 @@
 |               <template>
 |                 #document-fragment
 |         "text"
+
+#data
+<body><template><col><colgroup>
+#errors
+#document
+| <html>
+|   <head>
+|   <body>
+|     <template>
+|       #document-fragment
+|         <col>
+
+#data
+<body><template><col><colgroup></template></body>
+#errors
+#document
+| <html>
+|   <head>
+|   <body>
+|     <template>
+|       #document-fragment
+|         <col>
+
+#data
+<body><template><col><div>
+#errors
+#document
+| <html>
+|   <head>
+|   <body>
+|     <template>
+|       #document-fragment
+|         <col>
+
+#data
+<body><template><col>Hello
+#errors
+#document
+| <html>
+|   <head>
+|   <body>
+|     <template>
+|       #document-fragment
+|         <col>

Modified: trunk/Source/WebCore/ChangeLog (138536 => 138537)


--- trunk/Source/WebCore/ChangeLog	2012-12-28 16:11:09 UTC (rev 138536)
+++ trunk/Source/WebCore/ChangeLog	2012-12-28 16:30:31 UTC (rev 138537)
@@ -1,3 +1,19 @@
+2012-12-28  Rafael Weinstein  <[email protected]>
+
+        Heap-use-after-free in WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement
+        https://bugs.webkit.org/show_bug.cgi?id=105780
+
+        Reviewed by Eric Seidel.
+
+        This was regression was created by the HTMLTemplateElement implementation. The issue was a missed instance of
+        "fragment or template contents" case related to the parsing of colgroups.
+
+        * html/parser/HTMLTreeBuilder.cpp:
+        (WebCore::HTMLTreeBuilder::processColgroupEndTagForInColumnGroup):
+        (WebCore::HTMLTreeBuilder::processStartTag):
+        (WebCore::HTMLTreeBuilder::processCharacterBuffer):
+        (WebCore::HTMLTreeBuilder::processEndOfFile):
+
 2012-12-27  Vsevolod Vlasov  <[email protected]>
 
         Web Inspector: Introduce uri as a UISourceCode unique identifier in workspace.

Modified: trunk/Source/WebCore/html/parser/HTMLTreeBuilder.cpp (138536 => 138537)


--- trunk/Source/WebCore/html/parser/HTMLTreeBuilder.cpp	2012-12-28 16:11:09 UTC (rev 138536)
+++ trunk/Source/WebCore/html/parser/HTMLTreeBuilder.cpp	2012-12-28 16:30:31 UTC (rev 138537)
@@ -992,8 +992,8 @@
 
 bool HTMLTreeBuilder::processColgroupEndTagForInColumnGroup()
 {
-    if (m_tree.currentIsRootNode()) {
-        ASSERT(isParsingFragment());
+    if (m_tree.currentIsRootNode() || m_tree.currentNode()->hasTagName(templateTag)) {
+        ASSERT(isParsingFragmentOrTemplateContents());
         // FIXME: parse error
         return false;
     }
@@ -1208,7 +1208,7 @@
         }
 #endif
         if (!processColgroupEndTagForInColumnGroup()) {
-            ASSERT(isParsingFragment());
+            ASSERT(isParsingFragmentOrTemplateContents());
             return;
         }
         processStartTag(token);
@@ -2437,7 +2437,7 @@
         if (buffer.isEmpty())
             return;
         if (!processColgroupEndTagForInColumnGroup()) {
-            ASSERT(isParsingFragment());
+            ASSERT(isParsingFragmentOrTemplateContents());
             // The spec tells us to drop these characters on the floor.
             buffer.skipLeadingNonWhitespace();
             if (buffer.isEmpty())
@@ -2574,7 +2574,7 @@
             return; // FIXME: Should we break here instead of returning?
         }
         if (!processColgroupEndTagForInColumnGroup()) {
-            ASSERT(isParsingFragment());
+            ASSERT(isParsingFragmentOrTemplateContents());
             return; // FIXME: Should we break here instead of returning?
         }
         processEndOfFile(token);

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes