diff options
Diffstat (limited to 'WebCore/dom/XMLTokenizer.cpp')
| -rw-r--r-- | WebCore/dom/XMLTokenizer.cpp | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/WebCore/dom/XMLTokenizer.cpp b/WebCore/dom/XMLTokenizer.cpp index 1c43322..818dacd 100644 --- a/WebCore/dom/XMLTokenizer.cpp +++ b/WebCore/dom/XMLTokenizer.cpp @@ -27,7 +27,6 @@ #include "XMLTokenizer.h" #include "CDATASection.h" -#include "CString.h" #include "CachedScript.h" #include "Comment.h" #include "DocLoader.h" @@ -51,7 +50,7 @@ #include "ScriptSourceCode.h" #include "ScriptValue.h" #include "TextResourceDecoder.h" -#include <wtf/Platform.h> +#include <wtf/text/CString.h> #include <wtf/StringExtras.h> #include <wtf/Threading.h> #include <wtf/Vector.h> @@ -68,6 +67,7 @@ namespace WebCore { using namespace HTMLNames; const int maxErrors = 25; +const size_t maxNestingDepth = 4096; #if ENABLE(WML) bool XMLTokenizer::isWMLDocument() const @@ -87,6 +87,8 @@ void XMLTokenizer::pushCurrentNode(Node* n) n->ref(); m_currentNodeStack.append(m_currentNode); m_currentNode = n; + if (m_currentNodeStack.size() > maxNestingDepth) + handleError(fatal, "Excessive node nesting.", lineNumber(), columnNumber()); } void XMLTokenizer::popCurrentNode() @@ -206,7 +208,11 @@ void XMLTokenizer::exitText() void XMLTokenizer::end() { doEnd(); - + + // doEnd() could process a script tag, thus pausing parsing. + if (m_parserPaused) + return; + if (m_sawError) insertErrorMessageBlock(); else { |