Changeset 172036 in webkit

Timestamp:

Aug 5, 2014 11:14:31 AM (10 years ago)

Author:

commit-queue@webkit.org

Message:

ASSERTION FAILED: name[0] == '@' && length >= 2 in WebCore::CSSParser::detectAtToken
​https://bugs.webkit.org/show_bug.cgi?id=134632

Source/WebCore:

At-rules must consist of at least two characters: the '@' symbol followed by
an identifier name. The failure of this condition makes the assertion fail.

The length of an at-rule is currently calculated by pointer arithmetic on
the 'result' pointer, which is expected to be set to the end of the at-rule
identifier by the WebCore::*CSSTokenizer::parseIdentifier method.
If the at-rule token is a sequence of 8-bit-only characters then
'result' will point correctly at the end of the identifier. However, if
the at-rule contains a 16-bit Unicode escape then 'result' will not be
updated correctly anymore, hence it cannot be used for length calculation.
The patch makes the parseIdentifier bump the result pointer even in the 16-bit slow case.

Patch by Renata Hodovan, backported from Chromium: ​https://codereview.chromium.org/241053002

Patch by Martin Hodovan <​mhodovan.u-szeged@partner.samsung.com> on 2014-08-05
Reviewed by Darin Adler.

Test: fast/css/atrule-with-escape-character-crash.html

• css/CSSParser.cpp:

(WebCore::CSSParser::realLex):

LayoutTests:

Added test demonstrates that at-rules containing 16-bit Unicode characters
can be handled properly.

Patch by Martin Hodovan <​mhodovan.u-szeged@partner.samsung.com> on 2014-08-05
Reviewed by Darin Adler.

• fast/css/atrule-with-escape-character-crash-expected.txt: Added.
• fast/css/atrule-with-escape-character-crash.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/css/atrule-with-escape-character-crash-expected.txt (added)
• LayoutTests/fast/css/atrule-with-escape-character-crash.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/css/CSSParser.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2014-08-05  Martin Hodovan  <mhodovan.u-szeged@partner.samsung.com>
+
+        ASSERTION FAILED: name[0] == '@' && length >= 2 in WebCore::CSSParser::detectAtToken
+        https://bugs.webkit.org/show_bug.cgi?id=134632
+
+        Added test demonstrates that at-rules containing 16-bit Unicode characters
+        can be handled properly.
+
+        Reviewed by Darin Adler.
+
+        * fast/css/atrule-with-escape-character-crash-expected.txt: Added.
+        * fast/css/atrule-with-escape-character-crash.html: Added.
+
 2014-08-05  Renata Hodovan  <rhodovan.u-szeged@partner.samsung.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2014-08-05  Martin Hodovan  <mhodovan.u-szeged@partner.samsung.com>
+
+        ASSERTION FAILED: name[0] == '@' && length >= 2 in WebCore::CSSParser::detectAtToken
+        https://bugs.webkit.org/show_bug.cgi?id=134632
+
+        At-rules must consist of at least two characters: the '@' symbol followed by
+        an identifier name. The failure of this condition makes the assertion fail.
+
+        The length of an at-rule is currently calculated by pointer arithmetic on
+        the 'result' pointer, which is expected to be set to the end of the at-rule
+        identifier by the WebCore::*CSSTokenizer::parseIdentifier method.
+        If the at-rule token is a sequence of 8-bit-only characters then
+        'result' will point correctly at the end of the identifier. However, if
+        the at-rule contains a 16-bit Unicode escape then 'result' will not be
+        updated correctly anymore, hence it cannot be used for length calculation.
+        The patch makes the parseIdentifier bump the result pointer even in the 16-bit slow case.
+
+        Patch by Renata Hodovan, backported from Chromium: https://codereview.chromium.org/241053002
+
+        Reviewed by Darin Adler.
+
+        Test: fast/css/atrule-with-escape-character-crash.html
+
+        * css/CSSParser.cpp:
+        (WebCore::CSSParser::realLex):
+
 2014-08-04  Andy Estes  <aestes@apple.com>
 

trunk/Source/WebCore/css/CSSParser.cpp

@@ -10299 +10299 @@
         parseIdentifierInternal(currentCharacter<CharacterType>(), result16, hasEscape);
 
+        result += result16 - start16;
         resultString.init(start16, result16 - start16);