[Webkit-unassigned] [Bug 15715] Nested XSL stylesheets can produce memory corruption

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Oct 29 12:39:45 PDT 2007


http://bugs.webkit.org/show_bug.cgi?id=15715


myrdred at gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |myrdred at gmail.com




------- Comment #6 from myrdred at gmail.com  2007-10-29 12:39 PDT -------
Sorry it's taken so long to respond, I've been out of town.

Alexey: the problem can be seen quite easily by building WebKit and linking
with your own build of libxml2. The prebuilt libxml2 binary that WebKit ships
with does not reproduce the problem; I suspect that runtime heap checks are
turned off. With full heap checking, an assert is always triggered with a
non-empty nested stylesheet. The following reproduces it:

---

[test.xml]
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet type="text/xsl" href="test0.xsl"?>
<testing>
 <message>Hello, world!</message>
</testing>

[test0.xsl]
<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet version="1.0"
   xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 <xsl:import href="test1.xsl"/>
</xsl:stylesheet>

[test1.xsl]
<?xml version="1.0" encoding="utf-8"?>

<xsl:stylesheet version="1.0"
   xmlns:xsl="http://www.w3.org/1999/XSL/Transform">

<xsl:template match="/">
 <html>
   <head>
     <title>Testing</title>
   </head>
   <body>
     <div id="kablammo">
       <b>FOO!</b>
     </div>
   </body>
 </html>
</xsl:template>

</xsl:stylesheet>

---

Eric, I wouldn't call this a bug in libxml2/libxslt (and believe me, I
seriously considered the possibility.) It could be resolved by making changes
to these libraries, but not very elegantly. The problem is that libxml loads
and parses a document either with its own dictionary (if it creates the parse
context) or with a shared dictionary (if a context is provided by the client).
By the time libxslt sees the doc, it's already been parsed, and its strings are
already in whichever dictionary they're going to be in. Since libxslt delegates
the loading of child stylesheets to the client, it's the client's
responsibility to ensure that the dictionaries are not disjoint. As for the
UTF-8 comment, I think I wasn't very clear... the current code didn't call
xmlCtxtReadDoc() at all, but rather xmlReadMemory(), which will happily take
buffers with any encoding you care to pass in. But in order to have the child
stylesheet share the parent's dictionary, we need to create the context
ourselves, and the only way that libxml exposes to do that is to use
xmlCtxtReadDoc(), which only works on UTF-8 (it takes a pointer to xmlChar),
which is why I was wondering why the function takes an encoding parameter at
all. That'd be something to take up with the gnome folks.

I'll look for you on IRC to talk abut it.


-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the webkit-unassigned mailing list