Heap-use-after-free in WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement
authorrafaelw@chromium.org <rafaelw@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 28 Dec 2012 16:30:31 +0000 (16:30 +0000)
committerrafaelw@chromium.org <rafaelw@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 28 Dec 2012 16:30:31 +0000 (16:30 +0000)
https://bugs.webkit.org/show_bug.cgi?id=105780

Reviewed by Eric Seidel.

Source/WebCore:

This was regression was created by the HTMLTemplateElement implementation. The issue was a missed instance of
"fragment or template contents" case related to the parsing of colgroups.

* html/parser/HTMLTreeBuilder.cpp:
(WebCore::HTMLTreeBuilder::processColgroupEndTagForInColumnGroup):
(WebCore::HTMLTreeBuilder::processStartTag):
(WebCore::HTMLTreeBuilder::processCharacterBuffer):
(WebCore::HTMLTreeBuilder::processEndOfFile):

LayoutTests:

* html5lib/resources/template.dat:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@138537 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/html5lib/resources/template.dat
Source/WebCore/ChangeLog
Source/WebCore/html/parser/HTMLTreeBuilder.cpp

index 59962a0..1221fb2 100644 (file)
@@ -1,3 +1,12 @@
+2012-12-28  Rafael Weinstein  <rafaelw@chromium.org>
+
+        Heap-use-after-free in WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement
+        https://bugs.webkit.org/show_bug.cgi?id=105780
+
+        Reviewed by Eric Seidel.
+
+        * html5lib/resources/template.dat:
+
 2012-12-27  Vsevolod Vlasov  <vsevik@chromium.org>
 
         Web Inspector: Introduce uri as a UISourceCode unique identifier in workspace.
index 725b967..5733b09 100644 (file)
 |               <template>
 |                 #document-fragment
 |         "text"
+
+#data
+<body><template><col><colgroup>
+#errors
+#document
+| <html>
+|   <head>
+|   <body>
+|     <template>
+|       #document-fragment
+|         <col>
+
+#data
+<body><template><col><colgroup></template></body>
+#errors
+#document
+| <html>
+|   <head>
+|   <body>
+|     <template>
+|       #document-fragment
+|         <col>
+
+#data
+<body><template><col><div>
+#errors
+#document
+| <html>
+|   <head>
+|   <body>
+|     <template>
+|       #document-fragment
+|         <col>
+
+#data
+<body><template><col>Hello
+#errors
+#document
+| <html>
+|   <head>
+|   <body>
+|     <template>
+|       #document-fragment
+|         <col>
index 4fcf676..e25b06b 100644 (file)
@@ -1,3 +1,19 @@
+2012-12-28  Rafael Weinstein  <rafaelw@chromium.org>
+
+        Heap-use-after-free in WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement
+        https://bugs.webkit.org/show_bug.cgi?id=105780
+
+        Reviewed by Eric Seidel.
+
+        This was regression was created by the HTMLTemplateElement implementation. The issue was a missed instance of
+        "fragment or template contents" case related to the parsing of colgroups.
+
+        * html/parser/HTMLTreeBuilder.cpp:
+        (WebCore::HTMLTreeBuilder::processColgroupEndTagForInColumnGroup):
+        (WebCore::HTMLTreeBuilder::processStartTag):
+        (WebCore::HTMLTreeBuilder::processCharacterBuffer):
+        (WebCore::HTMLTreeBuilder::processEndOfFile):
+
 2012-12-27  Vsevolod Vlasov  <vsevik@chromium.org>
 
         Web Inspector: Introduce uri as a UISourceCode unique identifier in workspace.
index f7d252d..443aa2b 100644 (file)
@@ -992,8 +992,8 @@ void HTMLTreeBuilder::processTemplateEndTag(AtomicHTMLToken* token)
 
 bool HTMLTreeBuilder::processColgroupEndTagForInColumnGroup()
 {
-    if (m_tree.currentIsRootNode()) {
-        ASSERT(isParsingFragment());
+    if (m_tree.currentIsRootNode() || m_tree.currentNode()->hasTagName(templateTag)) {
+        ASSERT(isParsingFragmentOrTemplateContents());
         // FIXME: parse error
         return false;
     }
@@ -1208,7 +1208,7 @@ void HTMLTreeBuilder::processStartTag(AtomicHTMLToken* token)
         }
 #endif
         if (!processColgroupEndTagForInColumnGroup()) {
-            ASSERT(isParsingFragment());
+            ASSERT(isParsingFragmentOrTemplateContents());
             return;
         }
         processStartTag(token);
@@ -2437,7 +2437,7 @@ ReprocessBuffer:
         if (buffer.isEmpty())
             return;
         if (!processColgroupEndTagForInColumnGroup()) {
-            ASSERT(isParsingFragment());
+            ASSERT(isParsingFragmentOrTemplateContents());
             // The spec tells us to drop these characters on the floor.
             buffer.skipLeadingNonWhitespace();
             if (buffer.isEmpty())
@@ -2574,7 +2574,7 @@ void HTMLTreeBuilder::processEndOfFile(AtomicHTMLToken* token)
             return; // FIXME: Should we break here instead of returning?
         }
         if (!processColgroupEndTagForInColumnGroup()) {
-            ASSERT(isParsingFragment());
+            ASSERT(isParsingFragmentOrTemplateContents());
             return; // FIXME: Should we break here instead of returning?
         }
         processEndOfFile(token);