[webkit-changes] [120617] trunk

[commit-queue]

Title: [120617] trunk

Revision

120617

Author

commit-qu...@webkit.org

Date

2012-06-18 12:51:12 -0700 (Mon, 18 Jun 2012)

Log Message

Crash in CSPSource::parseSource
https://bugs.webkit.org/show_bug.cgi?id=89353

Patch by Mike West <mk...@chromium.org> on 2012-06-18
Reviewed by Adam Barth.

Source/WebCore:

Test: http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta.html

* page/ContentSecurityPolicy.cpp:
(WebCore::CSPSourceList::parseSource):
    Checking that we're not past the end of the string before deref.

LayoutTests:

* http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

Added Paths

• trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta-expected.txt
• trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta.html

Diff

Modified: trunk/LayoutTests/ChangeLog (120616 => 120617)

--- trunk/LayoutTests/ChangeLog	2012-06-18 19:30:33 UTC (rev 120616)
+++ trunk/LayoutTests/ChangeLog	2012-06-18 19:51:12 UTC (rev 120617)
@@ -1,3 +1,12 @@
+2012-06-18  Mike West  <mk...@chromium.org>
+
+        Crash in CSPSource::parseSource
+        https://bugs.webkit.org/show_bug.cgi?id=89353
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta.html: Added.
+
 2012-06-18  Robert Hogan  <rob...@webkit.org>
 
         CSS 2.1 failure: table-height-algorithm-012 fails

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta-expected.txt (0 => 120617)

--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta-expected.txt	2012-06-18 19:51:12 UTC (rev 120617)
@@ -0,0 +1 @@
+This test passes if it doesn't crash.

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta.html (0 => 120617)

--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta.html	2012-06-18 19:51:12 UTC (rev 120617)
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="X-WebKit-CSP" content="connect-src http://localhost:8000"<script>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+</head>
+<body>
+<pre id="console"></pre>
+<script>
+function log(msg)
+{
+    document.getElementById("console").appendChild(document.createTextNode(msg + "\n"));
+}
+
+try {
+    var xhr = new XMLHttpRequest;
+    xhr.open("GET", "http://127.0.0.1:8000/xmlhttprequest/resources/get.txt", true); 
+    log("Fail");
+} catch(e) {
+    log("Pass");
+}
+
+</script>
+<p>This test passes if the malformed meta tag doesn't cause a crash and the resource is blocked.</p>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (120616 => 120617)

--- trunk/Source/WebCore/ChangeLog	2012-06-18 19:30:33 UTC (rev 120616)
+++ trunk/Source/WebCore/ChangeLog	2012-06-18 19:51:12 UTC (rev 120617)
@@ -1,3 +1,16 @@
+2012-06-18  Mike West  <mk...@chromium.org>
+
+        Crash in CSPSource::parseSource
+        https://bugs.webkit.org/show_bug.cgi?id=89353
+
+        Reviewed by Adam Barth.
+
+        Test: http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta.html
+
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::CSPSourceList::parseSource):
+            Checking that we're not past the end of the string before deref.
+
 2012-06-18  Robert Hogan  <rob...@webkit.org>
 
         CSS 2.1 failure: table-height-algorithm-012 fails

Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.cpp (120616 => 120617)

--- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp	2012-06-18 19:30:33 UTC (rev 120616)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.cpp	2012-06-18 19:51:12 UTC (rev 120617)
@@ -314,7 +314,7 @@
         return parseHost(beginHost, position, host, hostHasWildcard);
     }
 
-    if (*position == '/') {
+    if (position < end && *position == '/') {
         // host/path || host/ || /
         //     ^            ^    ^
         if (!parseHost(beginHost, position, host, hostHasWildcard)
@@ -324,7 +324,7 @@
         return true;
     }
 
-    if (*position == ':') {
+    if (position < end && *position == ':') {
         if (end - position == 1) {
             // scheme:
             //       ^
@@ -345,15 +345,15 @@
             skipWhile<isNotColonOrSlash>(position, end);
         }
 
-        if (*position == ':') {
+        if (position < end && *position == ':') {
             // host:port || scheme://host:port
             //     ^                     ^
             beginPort = position;
             skipUntil(position, end, '/');
         }
     }
-    
-    if (*position == '/') {
+
+    if (position < end && *position == '/') {
         // scheme://host/path || scheme://host:port/path
         //              ^                          ^
         if (position == beginHost)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes