[webkit-changes] [WebKit/WebKit] cbbffd: REGRESSION (277924 at main): nullptr deref crash call...

Commit Queue noreply at github.com
Mon May 6 13:12:28 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: cbbffdafe0a9f188e1f87fdb4d528b0f153b2aa3
      https://github.com/WebKit/WebKit/commit/cbbffdafe0a9f188e1f87fdb4d528b0f153b2aa3
  Author: David Kilzer <ddkilzer at apple.com>
  Date:   2024-05-06 (Mon, 06 May 2024)

  Changed paths:
    A LayoutTests/fast/xsl/xslt-transform-to-fragment-no-xml-parsing-crash-expected.txt
    A LayoutTests/fast/xsl/xslt-transform-to-fragment-no-xml-parsing-crash.html
    A LayoutTests/platform/glib/fast/xsl/xslt-transform-to-fragment-no-xml-parsing-crash-expected.txt
    M Source/WebCore/xml/parser/XMLDocumentParser.h
    M Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp
    M Source/WebCore/xml/parser/XMLDocumentParserScope.cpp

  Log Message:
  -----------
  REGRESSION (277924 at main): nullptr deref crash calling XSLTProcessor.transformToFragment() before parsing XML
<https://bugs.webkit.org/show_bug.cgi?id=273735>
<rdar://127496002>

Reviewed by Alex Christensen.

If docLoaderFunc() in XSLTProcessorLibxslt.cpp was called before an XML
document was parsed, the WebCore::defaultEntityLoader global would not
be initialized, which could result in a nullptr dereference crash.

The fix is to call initializeXMLParser() in XMLDocumentParserScope()
constructors since there are cases where XMLDocumentParserScope is used
but XMLParserContext (the only place where initializeXMLParser() was
called previously) is not.

Test:  fast/xsl/xslt-transform-to-fragment-no-xml-parsing-crash.html

* LayoutTests/fast/xsl/xslt-transform-to-fragment-no-xml-parsing-crash-expected.txt: Add.
* LayoutTests/fast/xsl/xslt-transform-to-fragment-no-xml-parsing-crash.html: Add.
- Test is marked "runSingly=true" since parsing any XML content before
  running the test avoids the crash.
* LayoutTests/platform/glib/fast/xsl/xslt-transform-to-fragment-no-xml-parsing-crash-expected.txt: Add.
- Platform-specific results for GTK and WPE ports.

* Source/WebCore/xml/parser/XMLDocumentParser.h:
(WebCore::initializeXMLParser): Add declaration.
* Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:
(WebCore::externalEntityLoader):
- Add RELEASE_ASSERT() for the cause of the original crash.
(WebCore::initializeXMLParser):
- Remove static keyword so this can be called from
  XMLDocumentParserScope() constructors.
* Source/WebCore/xml/parser/XMLDocumentParserScope.cpp:
(WebCore::XMLDocumentParserScope::XMLDocumentParserScope):
- Call initializeXMLParser() from constructors before setting
  m_oldEntityLoader.

Canonical link: https://commits.webkit.org/278419@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list