[Backport] CVE-2019-5842

Manual backport. XPath: Do not crash by a deep expression. The union defined in xpath_grammar.y should be on the stack. Bug: 961413 Change-Id: I58af2a86975e529fab21f526bfd3e398c18ee997 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Michael Brüning <michael.bruning@qt.io> 2019-12-03 16:13:01 +0100
committer: Michael Brüning <michael.bruning@qt.io> 2019-12-04 21:05:08 +0000
commit: ed253f24557bbba635e4df3a916ce93ccdd73c18 (patch)
tree: fc71e3ea7596ca490563fa4020a467fb49c825c7
parent: 9ccd70b1edbe5226ef6a7f911c560a85d52a3bea (diff)
download: qtwebengine-chromium-ed253f24557bbba635e4df3a916ce93ccdd73c18.tar.gz
1 files changed, 7 insertions, 7 deletions
diff --git a/chromium/third_party/WebKit/Source/core/xml/XPathGrammar.y b/chromium/third_party/WebKit/Source/core/xml/XPathGrammar.y
index bd3b1c15f2f..ed501f81e41 100644
--- a/chromium/third_party/WebKit/Source/core/xml/XPathGrammar.y
+++ b/chromium/third_party/WebKit/Source/core/xml/XPathGrammar.y
@@ -36,13 +36,13 @@
 #include "core/xml/XPathVariableReference.h"
 #include "wtf/allocator/Partitions.h"
 
-void* yyFastMalloc(size_t size)
-{
-    return WTF::Partitions::fastMalloc(size, nullptr);
-}
-
-#define YYMALLOC yyFastMalloc
-#define YYFREE WTF::Partitions::fastFree
+// The union below must be located on the stack because it contains raw
+// pointers to Oilpan objects. crbug.com/961413
+#define YYSTACK_USE_ALLOCA 1
+// Bison's bug? YYSTACK_ALLOC is not defined if _MSC_VER.
+#if defined(_MSC_VER)
+#define YYSTACK_ALLOC _alloca
+#endif
 
 #define YYENABLE_NLS 0
 #define YYLTYPE_IS_TRIVIAL 1
author	Michael Brüning <michael.bruning@qt.io>	2019-12-03 16:13:01 +0100
committer	Michael Brüning <michael.bruning@qt.io>	2019-12-04 21:05:08 +0000
commit	ed253f24557bbba635e4df3a916ce93ccdd73c18 (patch)
tree	fc71e3ea7596ca490563fa4020a467fb49c825c7
parent	9ccd70b1edbe5226ef6a7f911c560a85d52a3bea (diff)
download	qtwebengine-chromium-ed253f24557bbba635e4df3a916ce93ccdd73c18.tar.gz