Commit eaa3d7e9 authored by abarth@webkit.org's avatar abarth@webkit.org
Browse files

2010-09-06 Adam Barth <abarth@webkit.org>

        Reviewed by Sam Weinig.

        OOB read with svg polyline
        https://bugs.webkit.org/show_bug.cgi?id=45279

        In principle, attributeChanged can do anything.  If we supported more
        DOM mutation events, it could even run JavaScript.  That means we need
        to be prepared for the attribute map to change when running
        attributeChanged.  This patch makes this loop resilient to the
        attribute map changing by storing the list of changed attributes on the
        stack.

        Test: fast/parser/changing-attrbutes-crash.html

        * dom/Element.cpp:
        (WebCore::Element::setAttributeMap):
2010-09-06  Adam Barth  <abarth@webkit.org>

        Reviewed by Sam Weinig.

        OOB read with svg polyline
        https://bugs.webkit.org/show_bug.cgi?id=45279

        Test what happens when SVG changes the attribute map out from under us.

        * fast/parser/changing-attrbutes-crash-expected.txt: Added.
        * fast/parser/changing-attrbutes-crash.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@66862 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 3faa4116
2010-09-06 Adam Barth <abarth@webkit.org>
Reviewed by Sam Weinig.
OOB read with svg polyline
https://bugs.webkit.org/show_bug.cgi?id=45279
Test what happens when SVG changes the attribute map out from under us.
* fast/parser/changing-attrbutes-crash-expected.txt: Added.
* fast/parser/changing-attrbutes-crash.html: Added.
2010-09-06 Kent Tamura <tkent@chromium.org>
 
Reviewed by Dimitri Glazkov.
CONSOLE MESSAGE: line 0: Error: Problem parsing points="foo"
This test passes if it doesn't crash.
<svg><polygon class="bar" points="foo"></svg>
<script>
if (window.layoutTestController)
layoutTestController.dumpAsText();
</script>
<p>This test passes if it doesn't crash.</p>
2010-09-06 Adam Barth <abarth@webkit.org>
Reviewed by Sam Weinig.
OOB read with svg polyline
https://bugs.webkit.org/show_bug.cgi?id=45279
In principle, attributeChanged can do anything. If we supported more
DOM mutation events, it could even run JavaScript. That means we need
to be prepared for the attribute map to change when running
attributeChanged. This patch makes this loop resilient to the
attribute map changing by storing the list of changed attributes on the
stack.
Test: fast/parser/changing-attrbutes-crash.html
* dom/Element.cpp:
(WebCore::Element::setAttributeMap):
2010-09-06 Oliver Hunt <oliver@apple.com>
 
Windows build fix
......@@ -695,9 +695,12 @@ void Element::setAttributeMap(PassRefPtr<NamedNodeMap> list, FragmentScriptingPe
i++;
}
}
unsigned len = m_attributeMap->length();
for (unsigned i = 0; i < len; i++)
attributeChanged(m_attributeMap->m_attributes[i].get());
// Store the set of attributes that changed on the stack in case
// attributeChanged mutates m_attributeMap.
Vector<RefPtr<Attribute> > attributes;
m_attributeMap->copyAttributesToVector(attributes);
for (Vector<RefPtr<Attribute> >::iterator iter = attributes.begin(); iter != attributes.end(); ++iter)
attributeChanged(iter->get());
// FIXME: What about attributes that were in the old map that are not in the new map?
}
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment