[Webkit-unassigned] [Bug 15715] New: Nested XSL stylesheets can produce memory corruption

Fri Oct 26 14:55:23 PDT 2007

http://bugs.webkit.org/show_bug.cgi?id=15715

           Summary: Nested XSL stylesheets can produce memory corruption
           Product: WebKit
           Version: 523.x+ (nightly)
          Platform: PC
        OS/Version: Windows XP
            Status: UNCONFIRMED
          Severity: Major
          Priority: P2
         Component: XML
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: myrdred at gmail.com

libxml, after it loads and parses a document, goes through a postprocessing
phase where it replaces some or all of the strings in the document with
pointers to a dictionary it builds. When an XML document is transformed by a
stylesheet, it will end up with references to strings in the stylesheet's
dictionary. When the XML doc is destroyed, each node is checked to see if the
address of its pointer resides in space managed by the internal dictionary. If
not, libxml knows it can safely free the memory.

Current behavior is for nested stylesheets to load and parse as separate
documents. When the stylesheet is applied, the transformed document can get
references to both stylesheets. When the destructor is called, the node
traversal checks strings only against the parent stylesheet's dictionary, not
the nested stylesheet. When it gets to a node that has a pointer to the child
spreadsheet's dictionary, the mechanism for checking whether a node contains a
string allocated by the model or a pointer to a dictionary fails, and free() is
called on memory that we don't want freed, and which may never have been
malloc'd to begin with. Fix attached.

-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.