Post too much text to iFrame could crash webkit
authorcdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 7 Nov 2018 03:12:18 +0000 (03:12 +0000)
committercdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 7 Nov 2018 03:12:18 +0000 (03:12 +0000)
commitb3a3614977b10a588c3224b1f8d020ed03111965
treed0bcc1472b004e773fc31e1d50a6466b63ba03ca
parent5001201e0f6ed5a7eec1f4caf23e6851385b2619
Post too much text to iFrame could crash webkit
https://bugs.webkit.org/show_bug.cgi?id=190947
<rdar://problem/45678231>

Reviewed by Geoffrey Garen.

Optimize SuffixTree (Which is used by XSSAuditor) to stop storing each Node's
children as a static array of 128 pointers and use a dynamic array (vector)
instead. This uses way less memory. Also make SuffixTree and SuffixTree::Node
as fast allocated for performance. This part of the change is based on the
following Blink change:
- https://chromium.googlesource.com/chromium/src.git/+/6ca590e1c7edaa7c56cac9e3e3c39cf398ca8d4d

Also update the XSSAuditor to construct the SuffixTree lazily since there are
many cases (including the one in this bug) where we were spending a significant
amount of time building the SuffixTree and then never querying it.

* html/parser/XSSAuditor.cpp:
(WebCore::XSSAuditor::init):
(WebCore::XSSAuditor::decodedHTTPBodySuffixTree):
(WebCore::XSSAuditor::isContainedInRequest):
* html/parser/XSSAuditor.h:
* platform/text/SuffixTree.h:
(WebCore::SuffixTree::mightContain):
(WebCore::SuffixTree::Node::Node):
(WebCore::SuffixTree::Node::~Node):
(WebCore::SuffixTree::Node::find):
(WebCore::SuffixTree::Node::end):
(WebCore::SuffixTree::build):
(WebCore::SuffixTree<Codebook>::Node::childAt):
(WebCore::SuffixTree::Node::at): Deleted.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@237909 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebCore/ChangeLog
Source/WebCore/html/parser/XSSAuditor.cpp
Source/WebCore/html/parser/XSSAuditor.h
Source/WebCore/platform/text/SuffixTree.h