Heap-use-after-free in WebCore::HTMLConstructionSite::mergeAttributes…

…FromTokenIntoElement https://bugs.webkit.org/show_bug.cgi?id=105780 Reviewed by Eric Seidel. Source/WebCore: This was regression was created by the HTMLTemplateElement implementation. The issue was a missed instance of "fragment or template contents" case related to the parsing of colgroups. * html/parser/HTMLTreeBuilder.cpp: (WebCore::HTMLTreeBuilder::processColgroupEndTagForInColumnGroup): (WebCore::HTMLTreeBuilder::processStartTag): (WebCore::HTMLTreeBuilder::processCharacterBuffer): (WebCore::HTMLTreeBuilder::processEndOfFile): LayoutTests: * html5lib/resources/template.dat: Canonical link: https://commits.webkit.org/124021@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@138537 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Dec 28, 2012 · 8b1d923702b6c55f793c021466161c890cc18847 · 8b1d923
1 parent 14d57b6
commit 8b1d923702b6c55f793c021466161c890cc18847
Showing 4 changed files with 74 additions and 5 deletions.
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
@@ -1,3 +1,12 @@
+2012-12-28  Rafael Weinstein  <rafaelw@chromium.org>
+
+        Heap-use-after-free in WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement
+        https://bugs.webkit.org/show_bug.cgi?id=105780
+
+        Reviewed by Eric Seidel.
+
+        * html5lib/resources/template.dat:
+
 2012-12-27  Vsevolod Vlasov  <vsevik@chromium.org>
 
         Web Inspector: Introduce uri as a UISourceCode unique identifier in workspace.

diff --git a/LayoutTests/html5lib/resources/template.dat b/LayoutTests/html5lib/resources/template.dat
@@ -875,3 +875,47 @@
 |               <template>
 |                 #document-fragment
 |         "text"
+
+#data
+<body><template><col><colgroup>
+#errors
+#document
+| <html>
+|   <head>
+|   <body>
+|     <template>
+|       #document-fragment
+|         <col>
+
+#data
+<body><template><col><colgroup></template></body>
+#errors
+#document
+| <html>
+|   <head>
+|   <body>
+|     <template>
+|       #document-fragment
+|         <col>
+
+#data
+<body><template><col><div>
+#errors
+#document
+| <html>
+|   <head>
+|   <body>
+|     <template>
+|       #document-fragment
+|         <col>
+
+#data
+<body><template><col>Hello
+#errors
+#document
+| <html>
+|   <head>
+|   <body>
+|     <template>
+|       #document-fragment
+|         <col>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2012-12-28  Rafael Weinstein  <rafaelw@chromium.org>
+
+        Heap-use-after-free in WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement
+        https://bugs.webkit.org/show_bug.cgi?id=105780
+
+        Reviewed by Eric Seidel.
+
+        This was regression was created by the HTMLTemplateElement implementation. The issue was a missed instance of
+        "fragment or template contents" case related to the parsing of colgroups.
+
+        * html/parser/HTMLTreeBuilder.cpp:
+        (WebCore::HTMLTreeBuilder::processColgroupEndTagForInColumnGroup):
+        (WebCore::HTMLTreeBuilder::processStartTag):
+        (WebCore::HTMLTreeBuilder::processCharacterBuffer):
+        (WebCore::HTMLTreeBuilder::processEndOfFile):
+
 2012-12-27  Vsevolod Vlasov  <vsevik@chromium.org>
 
         Web Inspector: Introduce uri as a UISourceCode unique identifier in workspace.

diff --git a/Source/WebCore/html/parser/HTMLTreeBuilder.cpp b/Source/WebCore/html/parser/HTMLTreeBuilder.cpp
@@ -992,8 +992,8 @@ void HTMLTreeBuilder::processTemplateEndTag(AtomicHTMLToken* token)
 
 bool HTMLTreeBuilder::processColgroupEndTagForInColumnGroup()
 {
-    if (m_tree.currentIsRootNode()) {
-        ASSERT(isParsingFragment());
+    if (m_tree.currentIsRootNode() || m_tree.currentNode()->hasTagName(templateTag)) {
+        ASSERT(isParsingFragmentOrTemplateContents());
         // FIXME: parse error
         return false;
     }
@@ -1208,7 +1208,7 @@ void HTMLTreeBuilder::processStartTag(AtomicHTMLToken* token)
         }
 #endif
         if (!processColgroupEndTagForInColumnGroup()) {
-            ASSERT(isParsingFragment());
+            ASSERT(isParsingFragmentOrTemplateContents());
             return;
         }
         processStartTag(token);
@@ -2437,7 +2437,7 @@ void HTMLTreeBuilder::processCharacterBuffer(ExternalCharacterTokenBuffer& buffe
         if (buffer.isEmpty())
             return;
         if (!processColgroupEndTagForInColumnGroup()) {
-            ASSERT(isParsingFragment());
+            ASSERT(isParsingFragmentOrTemplateContents());
             // The spec tells us to drop these characters on the floor.
             buffer.skipLeadingNonWhitespace();
             if (buffer.isEmpty())
@@ -2574,7 +2574,7 @@ void HTMLTreeBuilder::processEndOfFile(AtomicHTMLToken* token)
             return; // FIXME: Should we break here instead of returning?
         }
         if (!processColgroupEndTagForInColumnGroup()) {
-            ASSERT(isParsingFragment());
+            ASSERT(isParsingFragmentOrTemplateContents());
             return; // FIXME: Should we break here instead of returning?
         }
         processEndOfFile(token);