Bug 5538

Summary: XSLT crashes with multi-word internal entity declarations
Product: WebKit Reporter: Eric Seidel (no email) <eric>
Component: XMLAssignee: Darin Adler <darin>
Status: RESOLVED FIXED    
Severity: Normal    
Priority: P1    
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
Attachments:
Description Flags
Patch containing reduced test case.
none
add node type checks eric: review+

Eric Seidel (no email)
Reported 2005-10-29 01:14:54 PDT
XSLT crashes with multi-word internal entity delcarations. See attached test case. Crashes WebKit every time. This is also in radar: <rdar://problem/4271835> CRASH: Safari crashes when processing XSL containing ENTITY values
Attachments
Patch containing reduced test case. (940 bytes, patch)
2005-10-29 01:15 PDT, Eric Seidel (no email) 		no flags
DetailsFormatted DiffDiff
add node type checks (4.66 KB, patch)
2005-12-11 19:59 PST, Darin Adler 		eric: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1 2005-10-29 01:15:55 PDT
Created attachment 4516 [details] Patch containing reduced test case.
Darin Adler
Comment 2 2005-12-11 19:22:51 PST
Crash is due to code using the IS_XSLT_ELEM macro on a node that's actually an entity declaration. Perhaps it's a bug that IS_XSLT_ELEM doesn't work properly in that case, but more likely there's some subtle rule about when you can use that macro. Apparently, many XML nodes don't have any of the fields in the xmlNode structure past the "common part", so it's strange that xmlNode includes these fields and strange that IS_XSLT_ELEM looks at the "ns" field without first checking the element type. Fix is presumably to check the element type before calling IS_XSLT_ELEM. Perhaps also libxslt should have that macro fixed so it works on any node.
Darin Adler
Comment 3 2005-12-11 19:59:38 PST
Created attachment 5046 [details] add node type checks
Eric Seidel (no email)
Comment 4 2005-12-11 20:12:57 PST
Comment on attachment 5046 [details] add node type checks Looks good. r=me. (Thanks for fixing this, btw.)
Note You need to log in before you can comment on or make changes to this bug.