Bug 40265

Summary:

Fix XFrameOptions and xssAuditor crashes in HTML5 parser

Product:

WebKit

Reporter:

Adam Barth <abarth>

Component:

New Bugs

Assignee:

Adam Barth <abarth>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

eric

Priority:

Version:

528+ (Nightly build)

Hardware:

Other

OS:

OS X 10.5

Bug Depends on:

Bug Blocks:

39259

Attachments:

Description	Flags
Patch	eric: review+

Description Adam Barth 2010-06-07 14:22:52 PDT

Fix XFrameOptions and xssAuditor crashes in HTML5 parser

Comment 1 Adam Barth 2010-06-07 14:26:37 PDT

Created attachment 58085 [details]
Patch

Comment 2 Eric Seidel (no email) 2010-06-07 14:43:11 PDT

Comment on attachment 58085 [details]
Patch

WebCore/html/HTML5Tokenizer.cpp:47
 +          *m_counter = *m_counter + 1;
+= 1?

WebCore/html/HTML5Tokenizer.cpp:52
 +          *m_counter = *m_counter - 1;
-= 1?  -- and ++ might work for (*m_counter)++, i' not sure.

WebCore/html/HTML5Tokenizer.cpp:105
 +      NestingLevelIncrementer nestingLevelIncrementer(m_writeNestingLevel);
Seems like we want to use this in other places too eventually. :)

WebCore/html/HTML5Tokenizer.cpp:140
 +      if (!m_source.isEmpty() || isWaitingForScripts() || executingScript() || !m_endWasDelayed)
m_endWasDelayed should be the first check, not the last.

WebCore/html/HTML5Tokenizer.cpp:143
 +      m_endWasDelayed = false;
Do we need to ASSERT in the destructor that we did end?

Seems better than we currently have, but probably not perfect yet.

Comment 3 Adam Barth 2010-06-07 14:53:25 PDT

Committed r60802: <http://trac.webkit.org/changeset/60802>