Issue 720545 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	tkent@chromium.org
Closed:	Aug 2017
Cc:	█ dominicc@chromium.org
Components:	Blink>XML
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	1
Type:	Bug

"xhtml-mathml-dtd-entity" web platform tests trigger DCHECK fail in XMLDocumentParser

Project Member Reported by qyears...@chromium.org, May 10 2017

Issue description

Example results:
https://storage.googleapis.com/chromium-layout-test-archives/mac_chromium_rel_ng/449362/layout-test-results/results.html#

Example stderr:
https://storage.googleapis.com/chromium-layout-test-archives/win_chromium_rel_ng/440148/layout-test-results/external/wpt/html/the-xhtml-syntax/parsing-xhtml-documents/xhtml-mathml-dtd-entity-7-crash-log.txt

Location of DCHECK:
https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/xml/parser/XMLDocumentParser.cpp?l=1418

The tests in question:
https://github.com/w3c/web-platform-tests/tree/master/html/the-xhtml-syntax/parsing-xhtml-documents
These are web-platform-tests which are being imported in https://chromium-review.googlesource.com/c/499507/.

Comment 1 by esprehn@chromium.org, May 10 2017

Cc: -esprehn@chromium.org dominicc@chromium.org

This might be a security bug, that DCHECK seems to be checking the NUL termination of strings we pass into libxml.

Comment 2 by dominicc@chromium.org, May 11 2017

Components: -Blink>HTML Blink>XML
Labels: -Pri-3 Pri-1
Owner: dominicc@chromium.org
Status: Assigned (was: Unconfirmed)

Thanks for all the links. I wonder if the string is empty and hence the DCHECK is confused or the caller is confused or something. Will take a look.

Comment 3 by dominicc@chromium.org, Aug 22 2017

Owner: ----
Status: Available (was: Assigned)

Bulk disowning per sshruthi's email about bug triage best practices.

Comment 4 by tkent@chromium.org, Aug 25 2017

Owner: tkent@chromium.org
Status: Started (was: Available)

Project Member

Comment 5 by bugdroid1@chromium.org, Aug 28 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3ad7ae1fa15072d13d29d0e1adc7600e572500b5

commit 3ad7ae1fa15072d13d29d0e1adc7600e572500b5
Author: Kent Tamura <tkent@chromium.org>
Date: Mon Aug 28 03:28:17 2017

Fix DCHECK failures in ConvertUTF16EntityToUTF8().

This DCHECK condition was wrong. |target| can have only a single
byte. e.g. &amp; is 0x26 in UTF-8.

Bug:  720545 
Change-Id: I84d59e526b75aae83caf051409e7b15662706ec8
Reviewed-on: https://chromium-review.googlesource.com/635106
Commit-Queue: Kent Tamura <tkent@chromium.org>
Reviewed-by: Dominic Cooney <dominicc@chromium.org>
Cr-Commit-Position: refs/heads/master@{#497692}
[modify] https://crrev.com/3ad7ae1fa15072d13d29d0e1adc7600e572500b5/third_party/WebKit/LayoutTests/TestExpectations
[modify] https://crrev.com/3ad7ae1fa15072d13d29d0e1adc7600e572500b5/third_party/WebKit/Source/core/xml/parser/XMLDocumentParser.cpp

Comment 6 by tkent@chromium.org, Aug 28 2017

Status: Fixed (was: Started)

►

Issue 720545 link

Issue metadata

"xhtml-mathml-dtd-entity" web platform tests trigger DCHECK fail in XMLDocumentParser

Issue description

Comment 1 by esprehn@chromium.org, May 10 2017

Comment 1 Deleted

Comment 2 by dominicc@chromium.org, May 11 2017

Comment 2 Deleted

Comment 3 by dominicc@chromium.org, Aug 22 2017

Comment 3 Deleted

Comment 4 by tkent@chromium.org, Aug 25 2017

Comment 4 Deleted

Comment 5 by bugdroid1@chromium.org, Aug 28 2017

Comment 5 Deleted

Comment 6 by tkent@chromium.org, Aug 28 2017

Comment 6 Deleted

Sign in to add a comment