[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373
eric at webkit.org
eric at webkit.org
Wed Apr 7 23:20:07 UTC 2010
The following commit has been merged in the webkit-1.2 branch:
commit 5de01af32344f1609240200691490e5ccde7df83
Author: eric at webkit.org <eric at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue Nov 3 18:37:39 2009 +0000
2009-11-03 Evan Martin <evan at chromium.org>
Reviewed by Darin Adler.
A test that reproduces a hard-to-trigger memory corruption in the
CSS lexer.
https://bugs.webkit.org/show_bug.cgi?id=30827
* fast/css/end-of-buffer-crash.html: Added.
2009-11-03 Evan Martin <evan at chromium.org>
Reviewed by Darin Adler.
Fix an off-by-one in the CSS lexer that causes memory corruption in
hard-to-trigger circumstances.
https://bugs.webkit.org/show_bug.cgi?id=30827
Test: fast/css/end-of-buffer-crash.html
* css/maketokenizer: Add comments, fix off-by-one.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@50467 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 79ea018..7d183c5 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2009-11-03 Evan Martin <evan at chromium.org>
+
+ Reviewed by Darin Adler.
+
+ A test that reproduces a hard-to-trigger memory corruption in the
+ CSS lexer.
+
+ https://bugs.webkit.org/show_bug.cgi?id=30827
+
+ * fast/css/end-of-buffer-crash.html: Added.
+
2009-11-02 Darin Adler <darin at apple.com>
Reviewed by Dan Bernstein.
diff --git a/LayoutTests/fast/css/end-of-buffer-crash-expected.txt b/LayoutTests/fast/css/end-of-buffer-crash-expected.txt
new file mode 100644
index 0000000..40b07ab
--- /dev/null
+++ b/LayoutTests/fast/css/end-of-buffer-crash-expected.txt
@@ -0,0 +1,3 @@
+This test tickles a subtle off-by-one bug in how the CSS lexer handles end of buffer conditions. The contents of the style tag satisfy (length mod 8 = 2) and contain an unclosed curly brace. We pass if we don't crash.
+
+PASS
diff --git a/LayoutTests/fast/css/end-of-buffer-crash.html b/LayoutTests/fast/css/end-of-buffer-crash.html
new file mode 100644
index 0000000..6f69e83
--- /dev/null
+++ b/LayoutTests/fast/css/end-of-buffer-crash.html
@@ -0,0 +1,12 @@
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+
+<style>tenbytes {</style>
+
+<p>This test tickles a subtle off-by-one bug in how the CSS lexer handles end
+of buffer conditions. The contents of the style tag satisfy (length mod 8 = 2)
+and contain an unclosed curly brace. We pass if we don't crash.</p>
+
+<p>PASS</p>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 7e55c13..7e54bb0 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,16 @@
+2009-11-03 Evan Martin <evan at chromium.org>
+
+ Reviewed by Darin Adler.
+
+ Fix an off-by-one in the CSS lexer that causes memory corruption in
+ hard-to-trigger circumstances.
+
+ https://bugs.webkit.org/show_bug.cgi?id=30827
+
+ Test: fast/css/end-of-buffer-crash.html
+
+ * css/maketokenizer: Add comments, fix off-by-one.
+
2009-11-02 Darin Adler <darin at apple.com>
Reviewed by Dan Bernstein.
diff --git a/WebCore/css/maketokenizer b/WebCore/css/maketokenizer
index d14b37a..efac3c6 100644
--- a/WebCore/css/maketokenizer
+++ b/WebCore/css/maketokenizer
@@ -73,30 +73,36 @@ typedef unsigned int flex_uint32_t;
END
}
-
+# Skip over the flex output prologue: the above typedefs, forward declarations, etc.
+# Stop when we get to the declarations of tables.
while (<>) {
last if /YY_NUM_RULES/;
}
+# Dump the generated tables. /yy_last_accepting/ matches the first declaration after the tables.
print;
while (<>) {
last if /yy_last_accepting/;
print;
}
-# media query, tokenizer state support
+# Skip down the the declaration of yytext; the body of the flex output begins after it.
while (<>) {
last if /yytext/;
}
+# Dump the definitions of states (INITIAL, media query, tokenizer state support).
while (<>) {
last if not (/define/ || /line/) ;
print;
}
+# Skip to main scanner function.
while (<>) {
last if /^YY_DECL/;
}
+# Dump main scanner declarations, substituting in our 16-bit character type.
+# Declarations end with the declaration matching /yy_act/.
print;
while (<>) {
s/char/UChar/;
@@ -104,23 +110,34 @@ while (<>) {
last if /yy_act/;
}
+# Skip past initialization code, down to main loop.
while (<>) {
last if /while \( 1 \)/;
}
+# Dump the main loop, skipping over labels we don't use.
+# Stop before dumping the end-of-buffer handling, because we output our own custom end-of-buffer handling.
print;
while (<>) {
next if /^yy_match:/;
next if /^do_action:/;
last if /YY_END_OF_BUFFER/;
+ if (/^case YY_STATE_EOF\(INITIAL\):/) {
+ print "case YY_END_OF_BUFFER:\n";
+ # flex outputs a ton of logic related to end-of-buffer handling; we just want to fall through to
+ # the yyterminate() found in other EOF states. But we need to be careful to back up to behind
+ # the terminating double-NUL so that subsequent calls to flex will have the pointers in order,
+ # so this logic is a reduction of the normal flex-generated YY_END_OF_BUFFER code.
+ print "\tyy_c_buf_p = yy_cp - 1;\n";
+ print "\tyy_cp = yy_c_buf_p;\n";
+ }
print;
- print "case YY_END_OF_BUFFER:\n" if /^case YY_STATE_EOF\(INITIAL\):/;
}
+# Skip over the end-of-buffer handling; dump the rest of the function.
while (<>) {
last if /default:/;
}
-
print;
while (<>) {
print;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list