[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198
abarth at webkit.org
abarth at webkit.org
Mon Feb 21 00:20:40 UTC 2011
The following commit has been merged in the webkit-1.3 branch:
commit efee11735921d92b40776986851ef04632842d24
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Sun Jan 30 02:39:40 2011 +0000
2011-01-29 Adam Barth <abarth at webkit.org>
Reviewed by Daniel Bates.
Fix XSSFilter crash when extracting the source for a token twice
https://bugs.webkit.org/show_bug.cgi?id=53368
Previously, it was unsafe to extract the source for the same token
twice because the HTMLSourceTracker would advance its internal
representation of the SegmentedString. This patch introduces a cache
to make calling HTMLSourceTracker::sourceForToken multiple times safe.
* html/parser/HTMLSourceTracker.cpp:
(WebCore::HTMLSourceTracker::end):
(WebCore::HTMLSourceTracker::sourceForToken):
* html/parser/HTMLSourceTracker.h:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77076 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 9b0a0b7..e7c015b 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,20 @@
+2011-01-29 Adam Barth <abarth at webkit.org>
+
+ Reviewed by Daniel Bates.
+
+ Fix XSSFilter crash when extracting the source for a token twice
+ https://bugs.webkit.org/show_bug.cgi?id=53368
+
+ Previously, it was unsafe to extract the source for the same token
+ twice because the HTMLSourceTracker would advance its internal
+ representation of the SegmentedString. This patch introduces a cache
+ to make calling HTMLSourceTracker::sourceForToken multiple times safe.
+
+ * html/parser/HTMLSourceTracker.cpp:
+ (WebCore::HTMLSourceTracker::end):
+ (WebCore::HTMLSourceTracker::sourceForToken):
+ * html/parser/HTMLSourceTracker.h:
+
2011-01-29 Maciej Stachowiak <mjs at apple.com>
Reviewed by Dan Bernstein.
diff --git a/Source/WebCore/html/parser/HTMLSourceTracker.cpp b/Source/WebCore/html/parser/HTMLSourceTracker.cpp
index 9d8328f..cf43105 100644
--- a/Source/WebCore/html/parser/HTMLSourceTracker.cpp
+++ b/Source/WebCore/html/parser/HTMLSourceTracker.cpp
@@ -41,6 +41,7 @@ void HTMLSourceTracker::start(const HTMLInputStream& input, HTMLToken& token)
void HTMLSourceTracker::end(const HTMLInputStream& input, HTMLToken& token)
{
+ m_cachedSourceForToken = String();
// FIXME: This work should really be done by the HTMLTokenizer.
token.end(input.current().numberOfCharactersConsumed());
}
@@ -50,6 +51,9 @@ String HTMLSourceTracker::sourceForToken(const HTMLToken& token)
if (token.type() == HTMLToken::EndOfFile)
return String(); // Hides the null character we use to mark the end of file.
+ if (!m_cachedSourceForToken.isEmpty())
+ return m_cachedSourceForToken;
+
ASSERT(!token.startIndex());
UChar* data = 0;
int length = token.endIndex() - token.startIndex() - m_sourceFromPreviousSegments.length();
@@ -58,7 +62,8 @@ String HTMLSourceTracker::sourceForToken(const HTMLToken& token)
data[i] = *m_source;
m_source.advance();
}
- return m_sourceFromPreviousSegments + source;
+ m_cachedSourceForToken = m_sourceFromPreviousSegments + source;
+ return m_cachedSourceForToken;
}
}
diff --git a/Source/WebCore/html/parser/HTMLSourceTracker.h b/Source/WebCore/html/parser/HTMLSourceTracker.h
index df322b9..17ae191 100644
--- a/Source/WebCore/html/parser/HTMLSourceTracker.h
+++ b/Source/WebCore/html/parser/HTMLSourceTracker.h
@@ -47,6 +47,7 @@ public:
private:
String m_sourceFromPreviousSegments;
SegmentedString m_source;
+ String m_cachedSourceForToken;
};
}
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list