[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373
tkent at chromium.org
tkent at chromium.org
Wed Apr 7 23:46:06 UTC 2010
The following commit has been merged in the webkit-1.2 branch:
commit 48ef6516d021131da203c4f27fd958fc008f4ed6
Author: tkent at chromium.org <tkent at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed Nov 18 05:19:24 2009 +0000
2009-11-17 Hayato Ito <hayato at google.com>
Reviewed by Darin Adler.
Avoid infinite mutual recursion when deeply nested tags are loaded
https://bugs.webkit.org/show_bug.cgi?id=30651
* fast/parser/block-nesting-cap-table-expected.txt: Added.
* fast/parser/block-nesting-cap-table.html: Added.
* fast/parser/script-tests/block-nesting-cap-table.js: Added.
2009-11-17 Hayato Ito <hayato at google.com>
Reviewed by Darin Adler.
Avoid infinite mutual recursion when deeply nested tags are loaded
https://bugs.webkit.org/show_bug.cgi?id=30651
Test: fast/parser/block-nesting-cap-table.html
* html/HTMLParser.cpp:
(WebCore::HTMLParser::parseToken):
(WebCore::tagPriorityOfNode):
(WebCore::HTMLParser::limitBlockDepth):
(WebCore::HTMLParser::insertNodeAfterLimitBlockDepth):
(WebCore::HTMLParser::insertNode):
* html/HTMLParser.h:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@51101 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 5f1e0f9..2a1160c 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2009-11-17 Hayato Ito <hayato at google.com>
+
+ Reviewed by Darin Adler.
+
+ Avoid infinite mutual recursion when deeply nested tags are loaded
+ https://bugs.webkit.org/show_bug.cgi?id=30651
+
+ * fast/parser/block-nesting-cap-table-expected.txt: Added.
+ * fast/parser/block-nesting-cap-table.html: Added.
+ * fast/parser/script-tests/block-nesting-cap-table.js: Added.
+
2009-11-17 Johnny Ding <jnd at chromium.org>
Reviewed by Darin Adler.
diff --git a/LayoutTests/fast/parser/block-nesting-cap-table-expected.txt b/LayoutTests/fast/parser/block-nesting-cap-table-expected.txt
new file mode 100644
index 0000000..2dffc16
--- /dev/null
+++ b/LayoutTests/fast/parser/block-nesting-cap-table-expected.txt
@@ -0,0 +1,12 @@
+Test that the HTML parser does not allow the nesting depth of "block-level" elements to exceed 4096 when using nested table tag
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS t1024.parentNode === td1022 is true
+PASS t1023.parentNode === td1022 is true
+PASS t1024.previousSibling === t1023 is true
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/parser/block-nesting-cap-table.html b/LayoutTests/fast/parser/block-nesting-cap-table.html
new file mode 100644
index 0000000..d33515e
--- /dev/null
+++ b/LayoutTests/fast/parser/block-nesting-cap-table.html
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="../js/resources/js-test-style.css">
+<script src="../js/resources/js-test-pre.js"></script>
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src="script-tests/block-nesting-cap-table.js"></script>
+<script src="../js/resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/fast/parser/script-tests/block-nesting-cap-table.js b/LayoutTests/fast/parser/script-tests/block-nesting-cap-table.js
new file mode 100644
index 0000000..a353b58
--- /dev/null
+++ b/LayoutTests/fast/parser/script-tests/block-nesting-cap-table.js
@@ -0,0 +1,20 @@
+description('Test that the HTML parser does not allow the nesting depth of "block-level" elements to exceed 4096 when using nested table tag');
+
+var depth = 1028; // <table><tbody><tr><td> consumes 4 blocks. (1028 * 4 = 4112 > 4096).
+var markup = "";
+var i;
+for (i = 0; i < depth; ++i)
+ markup += "<table id='t" + i + "'><tbody><tr><td id='td" + i + "'>";
+var doc = document.implementation.createHTMLDocument();
+doc.body.innerHTML = markup;
+
+var t1023 = doc.getElementById("t1023");
+var t1024 = doc.getElementById("t1024");
+
+var td1022 = doc.getElementById("td1022");
+
+shouldBe("t1024.parentNode === td1022", "true");
+shouldBe("t1023.parentNode === td1022", "true");
+shouldBe("t1024.previousSibling === t1023", "true");
+
+var successfullyParsed = true;
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 066e372..b724b60 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,20 @@
+2009-11-17 Hayato Ito <hayato at google.com>
+
+ Reviewed by Darin Adler.
+
+ Avoid infinite mutual recursion when deeply nested tags are loaded
+ https://bugs.webkit.org/show_bug.cgi?id=30651
+
+ Test: fast/parser/block-nesting-cap-table.html
+
+ * html/HTMLParser.cpp:
+ (WebCore::HTMLParser::parseToken):
+ (WebCore::tagPriorityOfNode):
+ (WebCore::HTMLParser::limitBlockDepth):
+ (WebCore::HTMLParser::insertNodeAfterLimitBlockDepth):
+ (WebCore::HTMLParser::insertNode):
+ * html/HTMLParser.h:
+
2009-11-17 Brent Fulgham <bfulgham at webkit.org>
Rubber-stamped by Alexey Proskuryakov.
diff --git a/WebCore/html/HTMLParser.cpp b/WebCore/html/HTMLParser.cpp
index 1cb47ae..f13c19b 100644
--- a/WebCore/html/HTMLParser.cpp
+++ b/WebCore/html/HTMLParser.cpp
@@ -203,6 +203,25 @@ void HTMLParser::setCurrent(Node* newCurrent)
m_didRefCurrent = didRefNewCurrent;
}
+inline static int tagPriorityOfNode(Node* n)
+{
+ return n->isHTMLElement() ? static_cast<HTMLElement*>(n)->tagPriority() : 0;
+}
+
+inline void HTMLParser::limitBlockDepth(int tagPriority)
+{
+ if (tagPriority >= minBlockLevelTagPriority) {
+ while (m_blocksInStack >= cMaxBlockDepth)
+ popBlock(m_blockStack->tagName);
+ }
+}
+
+inline bool HTMLParser::insertNodeAfterLimitBlockDepth(Node* n, bool flat)
+{
+ limitBlockDepth(tagPriorityOfNode(n));
+ return insertNode(n, flat);
+}
+
PassRefPtr<Node> HTMLParser::parseToken(Token* t)
{
if (!m_skipModeTag.isNull()) {
@@ -241,7 +260,7 @@ PassRefPtr<Node> HTMLParser::parseToken(Token* t)
while (charsLeft) {
// split large blocks of text to nodes of manageable size
n = Text::createWithLengthLimit(m_document, text, charsLeft);
- if (!insertNode(n.get(), t->selfClosingTag))
+ if (!insertNodeAfterLimitBlockDepth(n.get(), t->selfClosingTag))
return 0;
}
return n;
@@ -271,7 +290,7 @@ PassRefPtr<Node> HTMLParser::parseToken(Token* t)
}
}
- if (!insertNode(n.get(), t->selfClosingTag)) {
+ if (!insertNodeAfterLimitBlockDepth(n.get(), t->selfClosingTag)) {
// we couldn't insert the node
if (n->isElementNode()) {
@@ -329,21 +348,17 @@ bool HTMLParser::insertNode(Node* n, bool flat)
RefPtr<Node> protectNode(n);
const AtomicString& localName = n->localName();
- int tagPriority = n->isHTMLElement() ? static_cast<HTMLElement*>(n)->tagPriority() : 0;
// <table> is never allowed inside stray table content. Always pop out of the stray table content
// and close up the first table, and then start the second table as a sibling.
if (m_inStrayTableContent && localName == tableTag)
popBlock(tableTag);
- if (tagPriority >= minBlockLevelTagPriority) {
- while (m_blocksInStack >= cMaxBlockDepth)
- popBlock(m_blockStack->tagName);
- }
-
if (m_parserQuirks && !m_parserQuirks->shouldInsertNode(m_current, n))
return false;
+ int tagPriority = tagPriorityOfNode(n);
+
// let's be stupid and just try to insert it.
// this should work if the document is well-formed
Node* newNode = m_current->addChild(n);
diff --git a/WebCore/html/HTMLParser.h b/WebCore/html/HTMLParser.h
index 0945826..f07b64b 100644
--- a/WebCore/html/HTMLParser.h
+++ b/WebCore/html/HTMLParser.h
@@ -111,6 +111,9 @@ private:
void processCloseTag(Token*);
+ void limitBlockDepth(int tagPriority);
+
+ bool insertNodeAfterLimitBlockDepth(Node*, bool flat = false);
bool insertNode(Node*, bool flat = false);
bool handleError(Node*, bool flat, const AtomicString& localName, int tagPriority);
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list