[Webkit-unassigned] [Bug 15715] New: Nested XSL stylesheets can produce memory corruption
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Oct 26 14:55:23 PDT 2007
http://bugs.webkit.org/show_bug.cgi?id=15715
Summary: Nested XSL stylesheets can produce memory corruption
Product: WebKit
Version: 523.x+ (nightly)
Platform: PC
OS/Version: Windows XP
Status: UNCONFIRMED
Severity: Major
Priority: P2
Component: XML
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: myrdred at gmail.com
libxml, after it loads and parses a document, goes through a postprocessing
phase where it replaces some or all of the strings in the document with
pointers to a dictionary it builds. When an XML document is transformed by a
stylesheet, it will end up with references to strings in the stylesheet's
dictionary. When the XML doc is destroyed, each node is checked to see if the
address of its pointer resides in space managed by the internal dictionary. If
not, libxml knows it can safely free the memory.
Current behavior is for nested stylesheets to load and parse as separate
documents. When the stylesheet is applied, the transformed document can get
references to both stylesheets. When the destructor is called, the node
traversal checks strings only against the parent stylesheet's dictionary, not
the nested stylesheet. When it gets to a node that has a pointer to the child
spreadsheet's dictionary, the mechanism for checking whether a node contains a
string allocated by the model or a pointer to a dictionary fails, and free() is
called on memory that we don't want freed, and which may never have been
malloc'd to begin with. Fix attached.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list