Bug 40265 - Fix XFrameOptions and xssAuditor crashes in HTML5 parser
Summary: Fix XFrameOptions and xssAuditor crashes in HTML5 parser
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 528+ (Nightly build)
Hardware: Other OS X 10.5
: P2 Normal
Assignee: Adam Barth
URL:
Keywords:
Depends on:
Blocks: 39259
  Show dependency treegraph
 
Reported: 2010-06-07 14:22 PDT by Adam Barth
Modified: 2010-06-07 14:53 PDT (History)
1 user (show)

See Also:


Attachments
Patch (5.95 KB, patch)
2010-06-07 14:26 PDT, Adam Barth
eric: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Adam Barth 2010-06-07 14:22:52 PDT
Fix XFrameOptions and xssAuditor crashes in HTML5 parser
Comment 1 Adam Barth 2010-06-07 14:26:37 PDT
Created attachment 58085 [details]
Patch
Comment 2 Eric Seidel (no email) 2010-06-07 14:43:11 PDT
Comment on attachment 58085 [details]
Patch

WebCore/html/HTML5Tokenizer.cpp:47
 +          *m_counter = *m_counter + 1;
+= 1?

WebCore/html/HTML5Tokenizer.cpp:52
 +          *m_counter = *m_counter - 1;
-= 1?  -- and ++ might work for (*m_counter)++, i' not sure.

WebCore/html/HTML5Tokenizer.cpp:105
 +      NestingLevelIncrementer nestingLevelIncrementer(m_writeNestingLevel);
Seems like we want to use this in other places too eventually. :)

WebCore/html/HTML5Tokenizer.cpp:140
 +      if (!m_source.isEmpty() || isWaitingForScripts() || executingScript() || !m_endWasDelayed)
m_endWasDelayed should be the first check, not the last.

WebCore/html/HTML5Tokenizer.cpp:143
 +      m_endWasDelayed = false;
Do we need to ASSERT in the destructor that we did end?

Seems better than we currently have, but probably not perfect yet.
Comment 3 Adam Barth 2010-06-07 14:53:25 PDT
Committed r60802: <http://trac.webkit.org/changeset/60802>