[webkit-changes] [WebKit/WebKit] cbbffd: REGRESSION (277924@main): nullptr deref crash call...

Mon, 06 May 2024 13:12:35 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: cbbffdafe0a9f188e1f87fdb4d528b0f153b2aa3
      
https://github.com/WebKit/WebKit/commit/cbbffdafe0a9f188e1f87fdb4d528b0f153b2aa3
  Author: David Kilzer <ddkil...@apple.com>
  Date:   2024-05-06 (Mon, 06 May 2024)

  Changed paths:
    A 
LayoutTests/fast/xsl/xslt-transform-to-fragment-no-xml-parsing-crash-expected.txt
    A LayoutTests/fast/xsl/xslt-transform-to-fragment-no-xml-parsing-crash.html
    A 
LayoutTests/platform/glib/fast/xsl/xslt-transform-to-fragment-no-xml-parsing-crash-expected.txt
    M Source/WebCore/xml/parser/XMLDocumentParser.h
    M Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp
    M Source/WebCore/xml/parser/XMLDocumentParserScope.cpp

  Log Message:
  -----------
  REGRESSION (277924@main): nullptr deref crash calling 
XSLTProcessor.transformToFragment() before parsing XML
<https://bugs.webkit.org/show_bug.cgi?id=273735>
<rdar://127496002>

Reviewed by Alex Christensen.

If docLoaderFunc() in XSLTProcessorLibxslt.cpp was called before an XML
document was parsed, the WebCore::defaultEntityLoader global would not
be initialized, which could result in a nullptr dereference crash.

The fix is to call initializeXMLParser() in XMLDocumentParserScope()
constructors since there are cases where XMLDocumentParserScope is used
but XMLParserContext (the only place where initializeXMLParser() was
called previously) is not.

Test:  fast/xsl/xslt-transform-to-fragment-no-xml-parsing-crash.html

* 
LayoutTests/fast/xsl/xslt-transform-to-fragment-no-xml-parsing-crash-expected.txt:
 Add.
* LayoutTests/fast/xsl/xslt-transform-to-fragment-no-xml-parsing-crash.html: 
Add.
- Test is marked "runSingly=true" since parsing any XML content before
  running the test avoids the crash.
* 
LayoutTests/platform/glib/fast/xsl/xslt-transform-to-fragment-no-xml-parsing-crash-expected.txt:
 Add.
- Platform-specific results for GTK and WPE ports.

* Source/WebCore/xml/parser/XMLDocumentParser.h:
(WebCore::initializeXMLParser): Add declaration.
* Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:
(WebCore::externalEntityLoader):
- Add RELEASE_ASSERT() for the cause of the original crash.
(WebCore::initializeXMLParser):
- Remove static keyword so this can be called from
  XMLDocumentParserScope() constructors.
* Source/WebCore/xml/parser/XMLDocumentParserScope.cpp:
(WebCore::XMLDocumentParserScope::XMLDocumentParserScope):
- Call initializeXMLParser() from constructors before setting
  m_oldEntityLoader.

Canonical link: https://commits.webkit.org/278419@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to