corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 591330 - Make deep nesting prevention code in the HTML5 parser not crash when there are speculations involved. r=jonas, a=blocking2.0-betaN.

Browse Source
This commit is contained in:
Henri Sivonen
2010-09-06 10:41:26 +03:00
parent e8fb0fdb11
commit ea6b908bf5
10 changed files with 359 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
parser/html/nsHtml5TreeBuilder.cpp
View File

@@ -79,6 +79,8 @@ nsHtml5TreeBuilder::startTokenization(nsHtml5Tokenizer* self)
formPointer = nsnull;
;
headPointer = nsnull;
;
deepTreeSurrogateParent = nsnull;
start(fragment);
charBufferLen = 0;
charBuffer = jArray<PRUnichar,PRInt32>(1024);
@@ -532,6 +534,8 @@ nsHtml5TreeBuilder::endTokenization()
formPointer = nsnull;
;
headPointer = nsnull;
;
deepTreeSurrogateParent = nsnull;
if (stack) {
while (currentPtr > -1) {
stack[currentPtr]->release();
@@ -3811,7 +3815,7 @@ nsHtml5TreeBuilder::newSnapshot()
}
}
;
return new nsHtml5StateSnapshot(stackCopy, listCopy, formPointer, headPointer, mode, originalMode, framesetOk, inForeign, needToDropLF, quirks);
return new nsHtml5StateSnapshot(stackCopy, listCopy, formPointer, headPointer, deepTreeSurrogateParent, mode, originalMode, framesetOk, inForeign, needToDropLF, quirks);
}
PRBool
@@ -3821,7 +3825,7 @@ nsHtml5TreeBuilder::snapshotMatches(nsAHtml5TreeBuilderState* snapshot)
PRInt32 stackLen = snapshot->getStackLength();
jArray<nsHtml5StackNode*,PRInt32> listCopy = snapshot->getListOfActiveFormattingElements();
PRInt32 listLen = snapshot->getListOfActiveFormattingElementsLength();
if (stackLen != currentPtr + 1 || listLen != listPtr + 1 || formPointer != snapshot->getFormPointer() || headPointer != snapshot->getHeadPointer() || mode != snapshot->getMode() || originalMode != snapshot->getOriginalMode() || framesetOk != snapshot->isFramesetOk() || inForeign != snapshot->isInForeign() || needToDropLF != snapshot->isNeedToDropLF() || quirks != snapshot->isQuirks()) {
if (stackLen != currentPtr + 1 || listLen != listPtr + 1 || formPointer != snapshot->getFormPointer() || headPointer != snapshot->getHeadPointer() || deepTreeSurrogateParent != snapshot->getDeepTreeSurrogateParent() || mode != snapshot->getMode() || originalMode != snapshot->getOriginalMode() || framesetOk != snapshot->isFramesetOk() || inForeign != snapshot->isInForeign() || needToDropLF != snapshot->isNeedToDropLF() || quirks != snapshot->isQuirks()) {
return PR_FALSE;
}
for (PRInt32 i = listLen - 1; i >= 0; i--) {
@@ -3893,6 +3897,9 @@ nsHtml5TreeBuilder::loadState(nsAHtml5TreeBuilderState* snapshot, nsHtml5AtomTab
;
headPointer = snapshot->getHeadPointer();
;
;
deepTreeSurrogateParent = snapshot->getDeepTreeSurrogateParent();
;
mode = snapshot->getMode();
originalMode = snapshot->getOriginalMode();
framesetOk = snapshot->isFramesetOk();
@@ -3924,6 +3931,12 @@ nsHtml5TreeBuilder::getHeadPointer()
return headPointer;
}
nsIContent**
nsHtml5TreeBuilder::getDeepTreeSurrogateParent()
{
return deepTreeSurrogateParent;
}
jArray<nsHtml5StackNode*,PRInt32>
nsHtml5TreeBuilder::getListOfActiveFormattingElements()
{