Skip to content
Permalink
Browse files
Heap-use-after-free in WebCore::HTMLConstructionSite::mergeAttributes…
…FromTokenIntoElement

https://bugs.webkit.org/show_bug.cgi?id=105780

Reviewed by Eric Seidel.

Source/WebCore:

This was regression was created by the HTMLTemplateElement implementation. The issue was a missed instance of
"fragment or template contents" case related to the parsing of colgroups.

* html/parser/HTMLTreeBuilder.cpp:
(WebCore::HTMLTreeBuilder::processColgroupEndTagForInColumnGroup):
(WebCore::HTMLTreeBuilder::processStartTag):
(WebCore::HTMLTreeBuilder::processCharacterBuffer):
(WebCore::HTMLTreeBuilder::processEndOfFile):

LayoutTests:

* html5lib/resources/template.dat:


Canonical link: https://commits.webkit.org/124021@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@138537 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
rafaelw committed Dec 28, 2012
1 parent 14d57b6 commit 8b1d923702b6c55f793c021466161c890cc18847
Showing 4 changed files with 74 additions and 5 deletions.
@@ -1,3 +1,12 @@
2012-12-28 Rafael Weinstein <rafaelw@chromium.org>

Heap-use-after-free in WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement
https://bugs.webkit.org/show_bug.cgi?id=105780

Reviewed by Eric Seidel.

* html5lib/resources/template.dat:

2012-12-27 Vsevolod Vlasov <vsevik@chromium.org>

Web Inspector: Introduce uri as a UISourceCode unique identifier in workspace.
@@ -875,3 +875,47 @@
| <template>
| #document-fragment
| "text"

#data
<body><template><col><colgroup>
#errors
#document
| <html>
| <head>
| <body>
| <template>
| #document-fragment
| <col>

#data
<body><template><col><colgroup></template></body>
#errors
#document
| <html>
| <head>
| <body>
| <template>
| #document-fragment
| <col>

#data
<body><template><col><div>
#errors
#document
| <html>
| <head>
| <body>
| <template>
| #document-fragment
| <col>

#data
<body><template><col>Hello
#errors
#document
| <html>
| <head>
| <body>
| <template>
| #document-fragment
| <col>
@@ -1,3 +1,19 @@
2012-12-28 Rafael Weinstein <rafaelw@chromium.org>

Heap-use-after-free in WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement
https://bugs.webkit.org/show_bug.cgi?id=105780

Reviewed by Eric Seidel.

This was regression was created by the HTMLTemplateElement implementation. The issue was a missed instance of
"fragment or template contents" case related to the parsing of colgroups.

* html/parser/HTMLTreeBuilder.cpp:
(WebCore::HTMLTreeBuilder::processColgroupEndTagForInColumnGroup):
(WebCore::HTMLTreeBuilder::processStartTag):
(WebCore::HTMLTreeBuilder::processCharacterBuffer):
(WebCore::HTMLTreeBuilder::processEndOfFile):

2012-12-27 Vsevolod Vlasov <vsevik@chromium.org>

Web Inspector: Introduce uri as a UISourceCode unique identifier in workspace.
@@ -992,8 +992,8 @@ void HTMLTreeBuilder::processTemplateEndTag(AtomicHTMLToken* token)

bool HTMLTreeBuilder::processColgroupEndTagForInColumnGroup()
{
if (m_tree.currentIsRootNode()) {
ASSERT(isParsingFragment());
if (m_tree.currentIsRootNode() || m_tree.currentNode()->hasTagName(templateTag)) {
ASSERT(isParsingFragmentOrTemplateContents());
// FIXME: parse error
return false;
}
@@ -1208,7 +1208,7 @@ void HTMLTreeBuilder::processStartTag(AtomicHTMLToken* token)
}
#endif
if (!processColgroupEndTagForInColumnGroup()) {
ASSERT(isParsingFragment());
ASSERT(isParsingFragmentOrTemplateContents());
return;
}
processStartTag(token);
@@ -2437,7 +2437,7 @@ void HTMLTreeBuilder::processCharacterBuffer(ExternalCharacterTokenBuffer& buffe
if (buffer.isEmpty())
return;
if (!processColgroupEndTagForInColumnGroup()) {
ASSERT(isParsingFragment());
ASSERT(isParsingFragmentOrTemplateContents());
// The spec tells us to drop these characters on the floor.
buffer.skipLeadingNonWhitespace();
if (buffer.isEmpty())
@@ -2574,7 +2574,7 @@ void HTMLTreeBuilder::processEndOfFile(AtomicHTMLToken* token)
return; // FIXME: Should we break here instead of returning?
}
if (!processColgroupEndTagForInColumnGroup()) {
ASSERT(isParsingFragment());
ASSERT(isParsingFragmentOrTemplateContents());
return; // FIXME: Should we break here instead of returning?
}
processEndOfFile(token);

0 comments on commit 8b1d923

Please sign in to comment.