[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198

[abarth at webkit.org]

The following commit has been merged in the webkit-1.3 branch:
commit efee11735921d92b40776986851ef04632842d24
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Sun Jan 30 02:39:40 2011 +0000

    2011-01-29  Adam Barth  <abarth at webkit.org>
    
            Reviewed by Daniel Bates.
    
            Fix XSSFilter crash when extracting the source for a token twice
            https://bugs.webkit.org/show_bug.cgi?id=53368
    
            Previously, it was unsafe to extract the source for the same token
            twice because the HTMLSourceTracker would advance its internal
            representation of the SegmentedString.  This patch introduces a cache
            to make calling HTMLSourceTracker::sourceForToken multiple times safe.
    
            * html/parser/HTMLSourceTracker.cpp:
            (WebCore::HTMLSourceTracker::end):
            (WebCore::HTMLSourceTracker::sourceForToken):
            * html/parser/HTMLSourceTracker.h:
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77076 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 9b0a0b7..e7c015b 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,20 @@
+2011-01-29  Adam Barth  <abarth at webkit.org>
+
+        Reviewed by Daniel Bates.
+
+        Fix XSSFilter crash when extracting the source for a token twice
+        https://bugs.webkit.org/show_bug.cgi?id=53368
+
+        Previously, it was unsafe to extract the source for the same token
+        twice because the HTMLSourceTracker would advance its internal
+        representation of the SegmentedString.  This patch introduces a cache
+        to make calling HTMLSourceTracker::sourceForToken multiple times safe.
+
+        * html/parser/HTMLSourceTracker.cpp:
+        (WebCore::HTMLSourceTracker::end):
+        (WebCore::HTMLSourceTracker::sourceForToken):
+        * html/parser/HTMLSourceTracker.h:
+
 2011-01-29  Maciej Stachowiak  <mjs at apple.com>
 
         Reviewed by Dan Bernstein.
diff --git a/Source/WebCore/html/parser/HTMLSourceTracker.cpp b/Source/WebCore/html/parser/HTMLSourceTracker.cpp
index 9d8328f..cf43105 100644
--- a/Source/WebCore/html/parser/HTMLSourceTracker.cpp
+++ b/Source/WebCore/html/parser/HTMLSourceTracker.cpp
@@ -41,6 +41,7 @@ void HTMLSourceTracker::start(const HTMLInputStream& input, HTMLToken& token)
 
 void HTMLSourceTracker::end(const HTMLInputStream& input, HTMLToken& token)
 {
+    m_cachedSourceForToken = String();
     // FIXME: This work should really be done by the HTMLTokenizer.
     token.end(input.current().numberOfCharactersConsumed());
 }
@@ -50,6 +51,9 @@ String HTMLSourceTracker::sourceForToken(const HTMLToken& token)
     if (token.type() == HTMLToken::EndOfFile)
         return String(); // Hides the null character we use to mark the end of file.
 
+    if (!m_cachedSourceForToken.isEmpty())
+        return m_cachedSourceForToken;
+
     ASSERT(!token.startIndex());
     UChar* data = 0;
     int length = token.endIndex() - token.startIndex() - m_sourceFromPreviousSegments.length();
@@ -58,7 +62,8 @@ String HTMLSourceTracker::sourceForToken(const HTMLToken& token)
         data[i] = *m_source;
         m_source.advance();
     }
-    return m_sourceFromPreviousSegments + source;
+    m_cachedSourceForToken = m_sourceFromPreviousSegments + source;
+    return m_cachedSourceForToken;
 }
 
 }
diff --git a/Source/WebCore/html/parser/HTMLSourceTracker.h b/Source/WebCore/html/parser/HTMLSourceTracker.h
index df322b9..17ae191 100644
--- a/Source/WebCore/html/parser/HTMLSourceTracker.h
+++ b/Source/WebCore/html/parser/HTMLSourceTracker.h
@@ -47,6 +47,7 @@ public:
 private:
     String m_sourceFromPreviousSegments;
     SegmentedString m_source;
+    String m_cachedSourceForToken;
 };
 
 }

-- 
WebKit Debian packaging