RESOLVED FIXED Bug 15456
XML parser modifies the document when using foo.innerHtml = "some string" 
https://bugs.webkit.org/show_bug.cgi?id=15456
Summary XML parser modifies the document when using foo.innerHtml = "some string"
Lars Knoll
Reported 2007-10-10 14:07:43 PDT
The XMLTokenizer.cpp has a constructor that takes a document fragment and parses XML into this fragment (which is used at least for handling innerHtml, maybe other places as well). While parsing this fragment, the parser calls lots of methods on the document, amongst others finishedParsing(), which can lead to memory corruption when innerHtml is used form within the onload handler.
Attachments
Protects some of the calls into the document (2.85 KB, patch)
2007-10-10 14:10 PDT, Lars Knoll 		no flags
DetailsFormatted DiffDiff
Test case for QXML (1.51 KB, application/xhtml+xml)
2007-10-11 01:22 PDT, Eric Seidel (no email) 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Lars Knoll
Comment 1 2007-10-10 14:10:56 PDT
Created attachment 16617 [details] Protects some of the calls into the document This patch fixes the memory corruption seen with LayoutTests/fast/innerHTML/innerHTML-script-tag-crash.xhtml. It does however not clean up all issues, and is untested for builds that use the libxml based parser. The main issues remaining are things related to XSLT support (see XMLTokenizer.cpp around line 1210).
Eric Seidel (no email)
Comment 2 2007-10-10 14:13:42 PDT
This is a reproducible memory smasher as demonstrated by the valgrind output: http://paste.lisp.org/display/48987
Alexey Proskuryakov
Comment 3 2007-10-11 00:54:07 PDT
*** Bug 15455 has been marked as a duplicate of this bug. ***
Eric Seidel (no email)
Comment 4 2007-10-11 01:22:37 PDT
Created attachment 16624 [details] Test case for QXML After extensive investigation, I have decided that this bug does not affect the libxml based parser. These changes are not harmful to the libxml based parser, but they are not necessary. libxml doesn't set any of the touched methods as handlers during the parseXMLDocumentFragment codepath.
Mark Rowe (bdash)
Comment 5 2007-10-11 10:14:29 PDT
Has this been landed?
David Kilzer (:ddkilzer)
Comment 6 2007-10-12 05:23:35 PDT
(In reply to comment #5) > Has this been landed? Apparently it landed in r26356. http://trac.webkit.org/projects/webkit/changeset/26356 I don't see any indication of a review in the ChangeLog, however. Perhaps the review was given via IRC?
Eric Seidel (no email)
Comment 7 2007-10-21 22:25:25 PDT
This can be closed.
Note You need to log in before you can comment on or make changes to this bug.