-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
REGRESSION (277924@main): nullptr deref crash calling XSLTProcessor.t…
…ransformToFragment() before parsing XML <https://bugs.webkit.org/show_bug.cgi?id=273735> <rdar://127496002> Reviewed by Alex Christensen. If docLoaderFunc() in XSLTProcessorLibxslt.cpp was called before an XML document was parsed, the WebCore::defaultEntityLoader global would not be initialized, which could result in a nullptr dereference crash. The fix is to call initializeXMLParser() in XMLDocumentParserScope() constructors since there are cases where XMLDocumentParserScope is used but XMLParserContext (the only place where initializeXMLParser() was called previously) is not. Test: fast/xsl/xslt-transform-to-fragment-no-xml-parsing-crash.html * LayoutTests/fast/xsl/xslt-transform-to-fragment-no-xml-parsing-crash-expected.txt: Add. * LayoutTests/fast/xsl/xslt-transform-to-fragment-no-xml-parsing-crash.html: Add. - Test is marked "runSingly=true" since parsing any XML content before running the test avoids the crash. * LayoutTests/platform/glib/fast/xsl/xslt-transform-to-fragment-no-xml-parsing-crash-expected.txt: Add. - Platform-specific results for GTK and WPE ports. * Source/WebCore/xml/parser/XMLDocumentParser.h: (WebCore::initializeXMLParser): Add declaration. * Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp: (WebCore::externalEntityLoader): - Add RELEASE_ASSERT() for the cause of the original crash. (WebCore::initializeXMLParser): - Remove static keyword so this can be called from XMLDocumentParserScope() constructors. * Source/WebCore/xml/parser/XMLDocumentParserScope.cpp: (WebCore::XMLDocumentParserScope::XMLDocumentParserScope): - Call initializeXMLParser() from constructors before setting m_oldEntityLoader. Canonical link: https://commits.webkit.org/278419@main
- Loading branch information
Showing
6 changed files
with
40 additions
and
3 deletions.
There are no files selected for viewing
4 changes: 4 additions & 0 deletions
4
LayoutTests/fast/xsl/xslt-transform-to-fragment-no-xml-parsing-crash-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
CONSOLE MESSAGE: Did not parse external entity resource at '' because cross-origin loads are not allowed. | ||
CONSOLE MESSAGE: Start tag expected, '<' not found | ||
|
||
PASS if no crash |
23 changes: 23 additions & 0 deletions
23
LayoutTests/fast/xsl/xslt-transform-to-fragment-no-xml-parsing-crash.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
<!DOCTYPE html><!-- webkit-test-runner [ runSingly=true ] --> | ||
<html> | ||
<head> | ||
<script> | ||
if (window.testRunner) { | ||
testRunner.dumpAsText(); | ||
testRunner.waitUntilDone(); | ||
} | ||
function test() | ||
{ | ||
processor = new XSLTProcessor(); | ||
docType = document.implementation.createDocumentType("xml:test", "-//test//Test 1.0//EN", "M/"); | ||
processor.importStylesheet(docType); | ||
processor.transformToFragment(node1, document); | ||
if (window.testRunner) | ||
testRunner.notifyDone(); | ||
} | ||
</script> | ||
</head> | ||
<body onload="test()"> | ||
<span id="node1">PASS if no crash</span> | ||
</body> | ||
</html> |
6 changes: 6 additions & 0 deletions
6
...Tests/platform/glib/fast/xsl/xslt-transform-to-fragment-no-xml-parsing-crash-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
CONSOLE MESSAGE: Document is empty | ||
|
||
CONSOLE MESSAGE: Did not parse external entity resource at '' because cross-origin loads are not allowed. | ||
CONSOLE MESSAGE: Start tag expected, '<' not found | ||
|
||
PASS if no crash |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters