Commit 28f3c1bd authored by pam@chromium.org's avatar pam@chromium.org
Browse files

2008-11-04 Jonathan Haas <myrdred@gmail.com>

        Addiitonal tweaks and patch prep by Pamela Greene <pam@chromium.org>

        Reviewed by Darin Adler.

        Fixed an issue which could cause memory corruption using ToT libxml.
        See https://bugs.webkit.org/show_bug.cgi?id=15715

        Test: fast/xsl/xslt-nested-stylesheets.xml

        * xml/XSLImportRule.cpp:
        (WebCore::XSLImportRule::setXSLStyleSheet): Set parent rather than owner document
        * xml/XSLStyleSheet.cpp:
        (WebCore::XSLStyleSheet::XSLStyleSheet): Initialize m_parentStyleSheet
        (WebCore::XSLStyleSheet::parseString): Make all child stylesheets use parent's dictionary
        (WebCore::XSLStyleSheet::setParentStyleSheet): Added
        * xml/XSLStyleSheet.h: Added m_parentStyleSheet member

2008-11-04  Pamela Greene  <pam@chromium.org>

        Reviewed by Darin Adler.

        Added test for crash resulting from nested stylesheets using certain
        builds of libxml2.  See https://bugs.webkit.org/show_bug.cgi?id=15715 .

        * fast/xsl/resources/xslt-nested-stylesheets0.xsl: Added.
        * fast/xsl/resources/xslt-nested-stylesheets1.xsl: Added.
        * fast/xsl/xslt-nested-stylesheets-expected.txt: Added.
        * fast/xsl/xslt-nested-stylesheets.xml: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@38115 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 38c9c9d1
2008-11-04 Pamela Greene <pam@chromium.org>
Reviewed by Darin Adler.
Added test for crash resulting from nested stylesheets using certain
builds of libxml2. See https://bugs.webkit.org/show_bug.cgi?id=15715 .
* fast/xsl/resources/xslt-nested-stylesheets0.xsl: Added.
* fast/xsl/resources/xslt-nested-stylesheets1.xsl: Added.
* fast/xsl/xslt-nested-stylesheets-expected.txt: Added.
* fast/xsl/xslt-nested-stylesheets.xml: Added.
2008-11-04 Pierre-Olivier Latour <pol@apple.com>
Reviewed by Dan Bernstein.
......
<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:import href="xslt-nested-stylesheets1.xsl"/>
</xsl:stylesheet>
<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<html>
<body>
<script>if (window.layoutTestController) layoutTestController.dumpAsText();</script>
<div id="mydiv">
<p>Tests a crash resulting from a string literal in a nested XSL stylesheet. If you reached
here without crashing, the test passed. See https://bugs.webkit.org/show_bug.cgi?id=15715 .</p>
<p>SUCCESS</p>
</div>
</body>
</html>
</xsl:template>
</xsl:stylesheet>
Tests a crash resulting from a string literal in a nested XSL stylesheet. If you reached here without crashing, the test passed. See https://bugs.webkit.org/show_bug.cgi?id=15715 .
SUCCESS
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet type="text/xsl" href="resources/xslt-nested-stylesheets0.xsl"?>
<stylesheet-test>
This tests a crash resulting from including nested stylesheets.
</stylesheet-test>
2008-11-04 Jonathan Haas <myrdred@gmail.com>
Addiitonal tweaks and patch prep by Pamela Greene <pam@chromium.org>
Reviewed by Darin Adler.
Fixed an issue which could cause memory corruption using ToT libxml.
See https://bugs.webkit.org/show_bug.cgi?id=15715
Test: fast/xsl/xslt-nested-stylesheets.xml
* xml/XSLImportRule.cpp:
(WebCore::XSLImportRule::setXSLStyleSheet): Set parent rather than owner document
* xml/XSLStyleSheet.cpp:
(WebCore::XSLStyleSheet::XSLStyleSheet): Initialize m_parentStyleSheet
(WebCore::XSLStyleSheet::parseString): Make all child stylesheets use parent's dictionary
(WebCore::XSLStyleSheet::setParentStyleSheet): Added
* xml/XSLStyleSheet.h: Added m_parentStyleSheet member
2008-11-04 Simon Fraser <simon.fraser@apple.com>
 
No review.
......
......@@ -61,7 +61,7 @@ void XSLImportRule::setXSLStyleSheet(const String& url, const String& sheet)
XSLStyleSheet* parent = parentStyleSheet();
if (parent)
m_styleSheet->setOwnerDocument(parent->ownerDocument());
m_styleSheet->setParentStyleSheet(parent);
m_styleSheet->parseString(sheet);
m_loading = false;
......
......@@ -60,6 +60,7 @@ XSLStyleSheet::XSLStyleSheet(XSLImportRule* parentRule, const String& href)
, m_embedded(false)
, m_processed(false) // Child sheets get marked as processed when the libxslt engine has finally seen them.
, m_stylesheetDocTaken(false)
, m_parentStyleSheet(0)
{
}
......@@ -70,6 +71,7 @@ XSLStyleSheet::XSLStyleSheet(Node* parentNode, const String& href, bool embedde
, m_embedded(embedded)
, m_processed(true) // The root sheet starts off processed.
, m_stylesheetDocTaken(false)
, m_parentStyleSheet(0)
{
}
......@@ -147,7 +149,24 @@ bool XSLStyleSheet::parseString(const String& string, bool strict)
xmlSetStructuredErrorFunc(console, XSLTProcessor::parseErrorFunc);
xmlSetGenericErrorFunc(console, XSLTProcessor::genericErrorFunc);
m_stylesheetDoc = xmlReadMemory(reinterpret_cast<const char*>(string.characters()), string.length() * sizeof(UChar),
const char* buffer = reinterpret_cast<const char*>(string.characters());
int size = string.length() * sizeof(UChar);
xmlParserCtxtPtr ctxt = xmlCreateMemoryParserCtxt(buffer, size);
if (m_parentStyleSheet) {
// The XSL transform may leave the newly-transformed document
// with references to the symbol dictionaries of the style sheet
// and any of its children. XML document disposal can corrupt memory
// if a document uses more than one symbol dictionary, so we
// ensure that all child stylesheets use the same dictionaries as their
// parents.
xmlDictFree(ctxt->dict);
ctxt->dict = m_parentStyleSheet->m_stylesheetDoc->dict;
xmlDictReference(ctxt->dict);
}
m_stylesheetDoc = xmlCtxtReadMemory(ctxt, buffer, size,
href().utf8().data(),
BOMHighByte == 0xFF ? "UTF-16LE" : "UTF-16BE",
XML_PARSE_NOENT | XML_PARSE_DTDATTR | XML_PARSE_NOWARNING | XML_PARSE_NOCDATA);
......@@ -235,6 +254,13 @@ xsltStylesheetPtr XSLStyleSheet::compileStyleSheet()
return result;
}
void XSLStyleSheet::setParentStyleSheet(XSLStyleSheet* parent)
{
m_parentStyleSheet = parent;
if (parent)
m_ownerDocument = parent->ownerDocument();
}
xmlDocPtr XSLStyleSheet::locateStylesheetSubResource(xmlDocPtr parentDoc, const xmlChar* uri)
{
bool matchedParent = (parentDoc == document());
......
......@@ -70,7 +70,7 @@ public:
DocLoader* docLoader();
Document* ownerDocument() { return m_ownerDocument; }
void setOwnerDocument(Document* doc) { m_ownerDocument = doc; }
void setParentStyleSheet(XSLStyleSheet* parent);
xmlDocPtr document();
......@@ -90,6 +90,7 @@ private:
bool m_embedded;
bool m_processed;
bool m_stylesheetDocTaken;
XSLStyleSheet* m_parentStyleSheet;
};
} // namespace WebCore
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment