15456 2007-10-10 14:07:43 -0700 XML parser modifies the document when using foo.innerHtml = "some string" 2007-10-21 22:25:25 -0700 1 1 1 Unclassified WebKit XML 523.x (Safari 3) Other OS X 10.4 RESOLVED FIXED P1 Major --- 1 lars.knoll webkit-unassigned ap staikos oldest_to_newest 58249 0 lars.knoll 2007-10-10 14:07:43 -0700 The XMLTokenizer.cpp has a constructor that takes a document fragment and parses XML into this fragment (which is used at least for handling innerHtml, maybe other places as well). While parsing this fragment, the parser calls lots of methods on the document, amongst others finishedParsing(), which can lead to memory corruption when innerHtml is used form within the onload handler. 58251 1 16617 lars.knoll 2007-10-10 14:10:56 -0700 Created attachment 16617 Protects some of the calls into the document This patch fixes the memory corruption seen with LayoutTests/fast/innerHTML/innerHTML-script-tag-crash.xhtml. It does however not clean up all issues, and is untested for builds that use the libxml based parser. The main issues remaining are things related to XSLT support (see XMLTokenizer.cpp around line 1210). 58252 2 eric 2007-10-10 14:13:42 -0700 This is a reproducible memory smasher as demonstrated by the valgrind output: http://paste.lisp.org/display/48987 58282 3 ap 2007-10-11 00:54:07 -0700 *** Bug 15455 has been marked as a duplicate of this bug. *** 58286 4 16624 eric 2007-10-11 01:22:37 -0700 Created attachment 16624 Test case for QXML After extensive investigation, I have decided that this bug does not affect the libxml based parser. These changes are not harmful to the libxml based parser, but they are not necessary. libxml doesn't set any of the touched methods as handlers during the parseXMLDocumentFragment codepath. 58303 5 mrowe 2007-10-11 10:14:29 -0700 Has this been landed? 58365 6 ddkilzer 2007-10-12 05:23:35 -0700 (In reply to comment #5) > Has this been landed? Apparently it landed in r26356. http://trac.webkit.org/projects/webkit/changeset/26356 I don't see any indication of a review in the ChangeLog, however. Perhaps the review was given via IRC? 59081 7 eric 2007-10-21 22:25:25 -0700 This can be closed. 16617 2007-10-10 14:10:56 -0700 2007-10-10 14:10:56 -0700 Protects some of the calls into the document diff text/plain 2921 lars.knoll ZGlmZiAtLWdpdCBhL1dlYkNvcmUvZG9tL1hNTFRva2VuaXplci5jcHAgYi9XZWJDb3JlL2RvbS9Y TUxUb2tlbml6ZXIuY3BwCmluZGV4IGJiMjBkNzMuLjRiMGU2MmIgMTAwNjQ0Ci0tLSBhL1dlYkNv cmUvZG9tL1hNTFRva2VuaXplci5jcHAKKysrIGIvV2ViQ29yZS9kb20vWE1MVG9rZW5pemVyLmNw cApAQCAtNTk4LDEwICs1OTgsMTIgQEAgYm9vbCBYTUxUb2tlbml6ZXI6OndyaXRlKGNvbnN0IFNl Z21lbnRlZFN0cmluZyYgcywgYm9vbCAvKmFwcGVuZERhdGEqLykKICAgICAgICAgICAgICAgICBT dHJpbmcgdmVyc2lvbiA9IGF0dHJzLmdldCgidmVyc2lvbiIpOwogICAgICAgICAgICAgICAgIFN0 cmluZyBlbmNvZGluZyA9IGF0dHJzLmdldCgiZW5jb2RpbmciKTsKICAgICAgICAgICAgICAgICBF eGNlcHRpb25Db2RlIGVjID0gMDsKLSAgICAgICAgICAgICAgICBpZiAoIXZlcnNpb24uaXNFbXB0 eSgpKQotICAgICAgICAgICAgICAgICAgICBtX2RvYy0+c2V0WE1MVmVyc2lvbih2ZXJzaW9uLCBl Yyk7Ci0gICAgICAgICAgICAgICAgaWYgKCFlbmNvZGluZy5pc0VtcHR5KCkpCi0gICAgICAgICAg ICAgICAgICAgIG1fZG9jLT5zZXRYTUxFbmNvZGluZyhlbmNvZGluZyk7CisgICAgICAgICAgICAg ICAgaWYgKCFtX3BhcnNpbmdGcmFnbWVudCkgeworICAgICAgICAgICAgICAgICAgICBpZiAoIXZl cnNpb24uaXNFbXB0eSgpKQorICAgICAgICAgICAgICAgICAgICAgICAgbV9kb2MtPnNldFhNTFZl cnNpb24odmVyc2lvbiwgZWMpOworICAgICAgICAgICAgICAgICAgICBpZiAoIWVuY29kaW5nLmlz RW1wdHkoKSkKKyAgICAgICAgICAgICAgICAgICAgICAgIG1fZG9jLT5zZXRYTUxFbmNvZGluZyhl bmNvZGluZyk7CisgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgfQogICAgICAgICB9CiAg ICAgICAgIG1fc3RyZWFtLmFkZERhdGEoZGF0YSk7CkBAIC05MjcsMTIgKzkyOSwxNCBAQCB2b2lk IFhNTFRva2VuaXplcjo6Y29tbWVudChjb25zdCB4bWxDaGFyKiBzKQogdm9pZCBYTUxUb2tlbml6 ZXI6OnN0YXJ0RG9jdW1lbnQoY29uc3QgeG1sQ2hhciogdmVyc2lvbiwgY29uc3QgeG1sQ2hhciog ZW5jb2RpbmcsIGludCBzdGFuZGFsb25lKQogewogICAgIEV4Y2VwdGlvbkNvZGUgZWMgPSAwOwot ICAgIAotICAgIGlmICh2ZXJzaW9uKQotICAgICAgICBtX2RvYy0+c2V0WE1MVmVyc2lvbih0b1N0 cmluZyh2ZXJzaW9uKSwgZWMpOwotICAgIG1fZG9jLT5zZXRYTUxTdGFuZGFsb25lKHN0YW5kYWxv bmUgPT0gMSwgZWMpOyAvLyBwb3NzaWJsZSB2YWx1ZXMgYXJlIDAsIDEsIGFuZCAtMQotICAgIGlm IChlbmNvZGluZykKLSAgICAgICAgbV9kb2MtPnNldFhNTEVuY29kaW5nKHRvU3RyaW5nKGVuY29k aW5nKSk7CisKKyAgICBpZiAoIW1fcGFyc2luZ0ZyYWdtZW50KSB7CisgICAgICAgIGlmICh2ZXJz aW9uKQorICAgICAgICAgICAgbV9kb2MtPnNldFhNTFZlcnNpb24odG9TdHJpbmcodmVyc2lvbiks IGVjKTsKKyAgICAgICAgbV9kb2MtPnNldFhNTFN0YW5kYWxvbmUoc3RhbmRhbG9uZSA9PSAxLCBl Yyk7IC8vIHBvc3NpYmxlIHZhbHVlcyBhcmUgMCwgMSwgYW5kIC0xCisgICAgICAgIGlmIChlbmNv ZGluZykKKyAgICAgICAgICAgIG1fZG9jLT5zZXRYTUxFbmNvZGluZyh0b1N0cmluZyhlbmNvZGlu ZykpOworICAgIH0KIH0KIAogdm9pZCBYTUxUb2tlbml6ZXI6OmludGVybmFsU3Vic2V0KGNvbnN0 IHhtbENoYXIqIG5hbWUsIGNvbnN0IHhtbENoYXIqIGV4dGVybmFsSUQsIGNvbnN0IHhtbENoYXIq IHN5c3RlbUlEKQpAQCAtMTIzNywxMSArMTI0MSwxMyBAQCB2b2lkIFhNTFRva2VuaXplcjo6ZW5k KCkKICAgICAgICAgaW5zZXJ0RXJyb3JNZXNzYWdlQmxvY2soKTsKICAgICBlbHNlIHsKICAgICAg ICAgZXhpdFRleHQoKTsKLSAgICAgICAgbV9kb2MtPnVwZGF0ZVN0eWxlU2VsZWN0b3IoKTsKKyAg ICAgICAgaWYgKCFtX3BhcnNpbmdGcmFnbWVudCkKKyAgICAgICAgICAgIG1fZG9jLT51cGRhdGVT dHlsZVNlbGVjdG9yKCk7CiAgICAgfQogICAgIAogICAgIHNldEN1cnJlbnROb2RlKDApOwotICAg IG1fZG9jLT5maW5pc2hlZFBhcnNpbmcoKTsgICAgCisgICAgaWYgKCFtX3BhcnNpbmdGcmFnbWVu dCkKKyAgICAgICAgbV9kb2MtPmZpbmlzaGVkUGFyc2luZygpOyAgICAKIH0KIAogdm9pZCBYTUxU b2tlbml6ZXI6OmZpbmlzaCgpCkBAIC0xNzE1LDcgKzE3MjEsOCBAQCB2b2lkIFhNTFRva2VuaXpl cjo6c3RhcnREb2N1bWVudCgpCiAgICAgaW5pdGlhbGl6ZVBhcnNlckNvbnRleHQoKTsKICAgICBF eGNlcHRpb25Db2RlIGVjID0gMDsKIAotICAgIG1fZG9jLT5zZXRYTUxTdGFuZGFsb25lKG1fc3Ry ZWFtLmlzU3RhbmRhbG9uZURvY3VtZW50KCksIGVjKTsKKyAgICBpZiAoIW1fcGFyc2luZ0ZyYWdt ZW50KQorICAgICAgICBtX2RvYy0+c2V0WE1MU3RhbmRhbG9uZShtX3N0cmVhbS5pc1N0YW5kYWxv bmVEb2N1bWVudCgpLCBlYyk7CiB9CiAKIHZvaWQgWE1MVG9rZW5pemVyOjpwYXJzZVN0YXJ0RWxl bWVudCgpCkBAIC0xOTc3LDcgKzE5ODQsOCBAQCB2b2lkIFhNTFRva2VuaXplcjo6cGFyc2VEdGQo KQogICAgICAgICB8fCAocHVibGljSWQgPT0gIi0vL1dBUEZPUlVNLy9EVEQgWEhUTUwgTW9iaWxl IDEuMC8vRU4iKSkgewogICAgICAgICBzZXRJc1hIVE1MRG9jdW1lbnQodHJ1ZSk7IC8vIGNvbnRy b2xzIGlmIHdlIHJlcGxhY2UgZW50aXRpZXMgb3Igbm90LgogICAgIH0KLSAgICBtX2RvYy0+c2V0 RG9jVHlwZShuZXcgRG9jdW1lbnRUeXBlKG1fZG9jLCBuYW1lLCBwdWJsaWNJZCwgc3lzdGVtSWQp KTsKKyAgICBpZiAoIW1fcGFyc2luZ0ZyYWdtZW50KQorICAgICAgICBtX2RvYy0+c2V0RG9jVHlw ZShuZXcgRG9jdW1lbnRUeXBlKG1fZG9jLCBuYW1lLCBwdWJsaWNJZCwgc3lzdGVtSWQpKTsKICAg ICAKIH0KICNlbmRpZgo= 16624 2007-10-11 01:22:37 -0700 2007-10-11 01:22:37 -0700 Test case for QXML script.xhtml application/xhtml+xml 1547 eric PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/Pgo8 IURPQ1RZUEUgaHRtbCBQVUJMSUMgIi0vL1czQy8vRFREIFhIVE1MIDEuMCBTdHJpY3QvL0VOIiAi aHR0cDovL3d3dy53My5vcmcvVFIveGh0bWwxL0RURC94aHRtbDEtc3RyaWN0LmR0ZCI+CjxodG1s IHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hodG1sIj4KPGRpdiBpZD0ibG9nIj48L2Rp dj4KPHNjcmlwdD48IVtDREFUQVsKICB2YXIgeGh0bWxOUyA9ICJodHRwOi8vd3d3LnczLm9yZy8x OTk5L3hodG1sIjsKICAKICB2YXIgbG9nRGl2ID0gZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoImxv ZyIpOwogIAogIGZ1bmN0aW9uIGRlYnVnTG9nKHMpIHsKICAgIHZhciBsb2dEaXYgPSBkb2N1bWVu dC5nZXRFbGVtZW50QnlJZCgibG9nIik7CiAgICBsb2dEaXYuYXBwZW5kQ2hpbGQoZG9jdW1lbnQu Y3JlYXRlVGV4dE5vZGUocykpOwogICAgbG9nRGl2LmFwcGVuZENoaWxkKGRvY3VtZW50LmNyZWF0 ZUVsZW1lbnROUygiaHR0cDovL3d3dy53My5vcmcvMTk5OS94aHRtbCIsICJiciIpKTsKICB9CiAg CiAgZGVidWdMb2coImRvY3VtZW50LnhtbEVuY29kaW5nIDogIiArIGRvY3VtZW50LnhtbEVuY29k aW5nKTsKICBkZWJ1Z0xvZygiZG9jdW1lbnQueG1sVmVyc2lvbiA6ICIgKyBkb2N1bWVudC54bWxW ZXJzaW9uKTsKICBkZWJ1Z0xvZygiZG9jdW1lbnQueG1sU3RhbmRhbG9uZSA6ICIgKyBkb2N1bWVu dC54bWxTdGFuZGFsb25lKTsKICBkZWJ1Z0xvZygiZG9jdW1lbnQucmVhZHlTdGF0ZSA6ICIgKyBk b2N1bWVudC5yZWFkeVN0YXRlKTsKICAKICAKICB2YXIgZGl2ID0gZG9jdW1lbnQuY3JlYXRlRWxl bWVudE5TKHhodG1sTlMsICJkaXYiKTsKCiAgdmFyIG5ld1hNTCA9ICcnCiAgbmV3WE1MICs9ICc8 P3htbCB2ZXJzaW9uPSIxLjAiPz4nOwogIG5ld1hNTCArPSAnPCFET0NUWVBFIGh0bWwgUFVCTElD ICItLy9XM0MvL0RURCBYSFRNTCAxLjAgU3RyaWN0Ly9FTiIgImh0dHA6Ly93d3cudzMub3JnL1RS L3hodG1sMS9EVEQveGh0bWwxLXN0cmljdC5kdGQiPicKICBuZXdYTUwgKz0gJzxodG1sIHhtbG5z PSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hodG1sIj4nOwogIG5ld1hNTCArPSAnPC9odG1sPic7 CgogIHRyeSB7CiAgICBkaXYuaW5uZXJIVE1MID0gbmV3WE1MOwogIH0gY2F0Y2ggKGUpIHsKICAg IGRlYnVnTG9nKCJkaXYuaW5uZXJIVE1MID0gdGhyZXcgZXhjZXB0aW9uOiAiICsgZSk7CiAgfSBm aW5hbGx5IHsKICAgIGRlYnVnTG9nKCJkb2N1bWVudC54bWxFbmNvZGluZyA6ICIgKyBkb2N1bWVu dC54bWxFbmNvZGluZyk7CiAgICBkZWJ1Z0xvZygiZG9jdW1lbnQueG1sVmVyc2lvbiA6ICIgKyBk b2N1bWVudC54bWxWZXJzaW9uKTsKICAgIGRlYnVnTG9nKCJkb2N1bWVudC54bWxTdGFuZGFsb25l IDogIiArIGRvY3VtZW50LnhtbFN0YW5kYWxvbmUpOwogICAgZGVidWdMb2coImRvY3VtZW50LnJl YWR5U3RhdGUgOiAiICsgZG9jdW1lbnQucmVhZHlTdGF0ZSk7CiAgfQogIApdXT48L3NjcmlwdD4K PC9odG1sPgo=