273735 – REGRESSION (277924@main): nullptr deref crash calling XSLTProcessor.transformToFragment() before parsing XML

Bug 273735 - REGRESSION (277924@main): nullptr deref crash calling XSLTProcessor.transformToFragment() before parsing XML

Summary: REGRESSION (277924@main): nullptr deref crash calling XSLTProcessor.transform...

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	XML (show other bugs)
Version:	Other
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	David Kilzer (:ddkilzer)

URL:
Keywords:	InRadar

Depends on:	273106
Blocks:
	Show dependency tree / graph

Reported:	2024-05-04 10:08 PDT by David Kilzer (:ddkilzer)
Modified:	2024-05-04 11:07 PDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Kilzer (:ddkilzer) 2024-05-04 10:08:44 PDT

A nullptr deref crash occurs when calling XSLTProcessor.transformToFragment() before any XML document is parsed because WebCore::defaultEntityLoader was not initialized.

Regressed with:

    REGRESSION (269108@main): Same-origin XSLT document() loads fail
    <https://bugs.webkit.org/show_bug.cgi?id=273106>
    <rdar://126897034>
    <https://commits.webkit.org/277924@main>

<rdar://127496002>

Comment 1 David Kilzer (:ddkilzer) 2024-05-04 11:07:16 PDT

Pull request: https://github.com/WebKit/WebKit/pull/28147