Skip to content
Permalink
Browse files
HTMLSourceTracker crashes when network packets break poorly
https://bugs.webkit.org/show_bug.cgi?id=66728

Reviewed by Darin Adler.

Source/WebCore:

If there is a network packet boundary in the middle of an attribute
that begins with the letters "on", then the HTMLSourceTracker will get
confused and try to extract too many characters from future input.  If
the future input is small enough, that will walk off the end of the
input and crash.

Test: http/tests/security/xssAuditor/crash-while-loading-tag-with-pause.html

* html/parser/HTMLSourceTracker.cpp:
(WebCore::HTMLSourceTracker::sourceForToken):

LayoutTests:

Test that we don't crash when we get a bad network packet boundary.

* http/tests/security/xssAuditor/crash-while-loading-tag-with-pause-expected.txt: Added.
* http/tests/security/xssAuditor/crash-while-loading-tag-with-pause.html: Added.
* http/tests/security/xssAuditor/resources/tag-with-pause.php: Added.


Canonical link: https://commits.webkit.org/82540@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@93561 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
Adam Barth committed Aug 22, 2011
1 parent 6dd2b7b commit 19387576cb6640c5d219648bc97c333ff0ebab80
Showing 6 changed files with 60 additions and 0 deletions.
@@ -1,3 +1,16 @@
2011-08-22 Adam Barth <abarth@webkit.org>

HTMLSourceTracker crashes when network packets break poorly
https://bugs.webkit.org/show_bug.cgi?id=66728

Reviewed by Darin Adler.

Test that we don't crash when we get a bad network packet boundary.

* http/tests/security/xssAuditor/crash-while-loading-tag-with-pause-expected.txt: Added.
* http/tests/security/xssAuditor/crash-while-loading-tag-with-pause.html: Added.
* http/tests/security/xssAuditor/resources/tag-with-pause.php: Added.

2011-08-22 Peter Kasting <pkasting@google.com>

Unreviewed, rolling out r93538.
@@ -0,0 +1,2 @@
This test passes if it doesn't crash.

@@ -0,0 +1,8 @@
<script>
if (window.layoutTestController) {
layoutTestController.dumpAsText();
layoutTestController.setXSSAuditorEnabled(true);
}
</script>
This test passes if it doesn't crash.<br>
<iframe src="resources/tag-with-pause.php?onclick=alert(1)"></iframe>
@@ -0,0 +1,18 @@
<?
header("Content-Type: text/html; charset=utf-8");
?>
<!-- <?php
# Spam a bunch of As to make sure we blow past any buffers.
print str_repeat("A", 2048);
?> -->
<body>
<?php
print "<a ona";
print str_repeat("a", 2000);

flush();
usleep(200000);

print "click=alert(1) ttt>";
?>
Done.
@@ -1,3 +1,21 @@
2011-08-22 Adam Barth <abarth@webkit.org>

HTMLSourceTracker crashes when network packets break poorly
https://bugs.webkit.org/show_bug.cgi?id=66728

Reviewed by Darin Adler.

If there is a network packet boundary in the middle of an attribute
that begins with the letters "on", then the HTMLSourceTracker will get
confused and try to extract too many characters from future input. If
the future input is small enough, that will walk off the end of the
input and crash.

Test: http/tests/security/xssAuditor/crash-while-loading-tag-with-pause.html

* html/parser/HTMLSourceTracker.cpp:
(WebCore::HTMLSourceTracker::sourceForToken):

2011-08-22 Eric Seidel <eric@webkit.org>

Attempt to clean up bidiNext usage
@@ -60,6 +60,7 @@ String HTMLSourceTracker::sourceForToken(const HTMLToken& token)
StringBuilder source;
source.reserveCapacity(length);
source.append(m_sourceFromPreviousSegments);
length -= m_sourceFromPreviousSegments.length();
for (int i = 0; i < length; ++i) {
source.append(*m_source);
m_source.advance();

0 comments on commit 1938757

Please sign in to comment.