[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-10851-g50815da

commit-queue at webkit.org commit-queue at webkit.org
Wed Dec 22 18:48:24 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit ca82b8a92ca1f6fe7f6a43b072ac28fb0679d7f6
Author: commit-queue at webkit.org <commit-queue at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Sun Dec 19 06:51:21 2010 +0000

    2010-12-18  Tom Sepez  <tsepez at chromium.org>
    
            Reviewed by David Levin.
    
            https://bugs.webkit.org/show_bug.cgi?id=51055
            Fix a null de-reference when an XML file contains a malformed entity
            of the form "&:;".
    
            * fast/parser/resources/xml-colon-entity.xml: Added.
            * fast/parser/xml-colon-entity-expected.txt: Added.
            * fast/parser/xml-colon-entity.html: Added.
    2010-12-18  Tom Sepez  <tsepez at chromium.org>
    
            Reviewed by David Levin.
    
            https://bugs.webkit.org/show_bug.cgi?id=51055
            Fix a null de-reference when an XML file contains a malformed entity
            of the form "&:;".
    
            Test: fast/parser/xml-colon-entity.html
    
            * html/parser/HTMLEntitySearch.cpp:
            (WebCore::HTMLEntitySearch::advance):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@74321 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 039b5d0..44e95b9 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2010-12-18  Tom Sepez  <tsepez at chromium.org>
+
+        Reviewed by David Levin.
+
+        https://bugs.webkit.org/show_bug.cgi?id=51055
+        Fix a null de-reference when an XML file contains a malformed entity
+        of the form "&:;".
+
+        * fast/parser/resources/xml-colon-entity.xml: Added.
+        * fast/parser/xml-colon-entity-expected.txt: Added.
+        * fast/parser/xml-colon-entity.html: Added.
+
 2010-12-18  Dan Bernstein  <mitz at apple.com>
 
         Reviewed by Cameron Zwarich.
diff --git a/LayoutTests/fast/parser/resources/xml-colon-entity.xml b/LayoutTests/fast/parser/resources/xml-colon-entity.xml
new file mode 100644
index 0000000..b0e6480
--- /dev/null
+++ b/LayoutTests/fast/parser/resources/xml-colon-entity.xml
@@ -0,0 +1,4 @@
+<!DOCTYPE foo PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" ""> 
+<foo foo="&:;
+
+
diff --git a/LayoutTests/fast/parser/xml-colon-entity-expected.txt b/LayoutTests/fast/parser/xml-colon-entity-expected.txt
new file mode 100644
index 0000000..1843218
--- /dev/null
+++ b/LayoutTests/fast/parser/xml-colon-entity-expected.txt
@@ -0,0 +1,14 @@
+CRASH: malformed entity of &: in xml causes access violation.
+
+If you don't crash, you pass. A parsing error in the "xml-parser" subframe is expected.
+
+
+
+--------
+Frame: 'xml-parser'
+--------
+This page contains the following errors:
+
+error on line 2 at column 13: Entity ':' not defined
+error on line 5 at column 1: AttValue: ' expected
+Below is a rendering of the page up to the first error.
diff --git a/LayoutTests/fast/parser/xml-colon-entity.html b/LayoutTests/fast/parser/xml-colon-entity.html
new file mode 100644
index 0000000..133c98e
--- /dev/null
+++ b/LayoutTests/fast/parser/xml-colon-entity.html
@@ -0,0 +1,15 @@
+<html>
+<body>
+<p>CRASH: malformed entity of &: in xml causes access violation.</p>
+<script>
+if (window.layoutTestController) {
+  layoutTestController.dumpAsText();
+  layoutTestController.dumpChildFramesAsText();
+}
+</script>
+
+<p>If you don't crash, you pass. A parsing error in the "xml-parser" subframe is expected.</p>
+
+<iframe id="xml-parser" src="resources/xml-colon-entity.xml"></iframe>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 3b48311..f60e4ab 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,16 @@
+2010-12-18  Tom Sepez  <tsepez at chromium.org>
+
+        Reviewed by David Levin.
+
+        https://bugs.webkit.org/show_bug.cgi?id=51055
+        Fix a null de-reference when an XML file contains a malformed entity
+        of the form "&:;".
+
+        Test: fast/parser/xml-colon-entity.html
+
+        * html/parser/HTMLEntitySearch.cpp:
+        (WebCore::HTMLEntitySearch::advance):
+
 2010-12-18  Noel Gordon  <noel.gordon at gmail.com>
 
         Reviewed by David Levin.
diff --git a/WebCore/html/parser/HTMLEntitySearch.cpp b/WebCore/html/parser/HTMLEntitySearch.cpp
index 580609e..56fb91a 100644
--- a/WebCore/html/parser/HTMLEntitySearch.cpp
+++ b/WebCore/html/parser/HTMLEntitySearch.cpp
@@ -114,6 +114,8 @@ void HTMLEntitySearch::advance(UChar nextCharacter)
     if (!m_currentLength) {
         m_first = HTMLEntityTable::firstEntryStartingWith(nextCharacter);
         m_last = HTMLEntityTable::lastEntryStartingWith(nextCharacter);
+        if (!m_first || !m_last)
+            return fail();
     } else {
         m_first = findFirst(nextCharacter);
         m_last = findLast(nextCharacter);

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list