From 5e973fca0b58c3007d3744ed40d45d79e9c271e7 Mon Sep 17 00:00:00 2001
From: MacDue <macdue@dueutil.tech>
Date: Thu, 4 Jan 2024 11:22:20 +0000
Subject: [PATCH] LibWeb: Prevent OOB access in HTMLEncodingDetection for input
 of '</'

Previously, this never checked if `position + 2` was valid. This
slightly reorders the loop so all indices are checked.

Fixes #22163
---
 ...lete-input-no-newline-at-eof-should-not-crash.txt | 12 ++++++++++++
 ...ete-input-no-newline-at-eof-should-not-crash.html |  1 +
 .../LibWeb/HTML/Parser/HTMLEncodingDetection.cpp     |  8 ++++----
 3 files changed, 17 insertions(+), 4 deletions(-)
 create mode 100644 Tests/LibWeb/Layout/expected/incomplete-input-no-newline-at-eof-should-not-crash.txt
 create mode 100644 Tests/LibWeb/Layout/input/incomplete-input-no-newline-at-eof-should-not-crash.html

diff --git a/Tests/LibWeb/Layout/expected/incomplete-input-no-newline-at-eof-should-not-crash.txt b/Tests/LibWeb/Layout/expected/incomplete-input-no-newline-at-eof-should-not-crash.txt
new file mode 100644
index 0000000000..fb08f18b0a
--- /dev/null
+++ b/Tests/LibWeb/Layout/expected/incomplete-input-no-newline-at-eof-should-not-crash.txt
@@ -0,0 +1,12 @@
+Viewport <#document> at (0,0) content-size 800x600 children: not-inline
+  BlockContainer <html> at (0,0) content-size 800x600 [BFC] children: not-inline
+    BlockContainer <body> at (8,8) content-size 784x17.46875 children: inline
+      line 0 width: 14.65625, height: 17.46875, bottom: 17.46875, baseline: 13.53125
+        frag 0 from TextNode start: 0, length: 2, rect: [8,8 14.65625x17.46875]
+          "</"
+      TextNode <#text>
+
+ViewportPaintable (Viewport<#document>) [0,0 800x600]
+  PaintableWithLines (BlockContainer<HTML>) [0,0 800x600]
+    PaintableWithLines (BlockContainer<BODY>) [8,8 784x17.46875]
+      TextPaintable (TextNode<#text>)
diff --git a/Tests/LibWeb/Layout/input/incomplete-input-no-newline-at-eof-should-not-crash.html b/Tests/LibWeb/Layout/input/incomplete-input-no-newline-at-eof-should-not-crash.html
new file mode 100644
index 0000000000..35324addd9
--- /dev/null
+++ b/Tests/LibWeb/Layout/input/incomplete-input-no-newline-at-eof-should-not-crash.html
@@ -0,0 +1 @@
+</
\ No newline at end of file
diff --git a/Userland/Libraries/LibWeb/HTML/Parser/HTMLEncodingDetection.cpp b/Userland/Libraries/LibWeb/HTML/Parser/HTMLEncodingDetection.cpp
index 7d2876a3a7..9e8c8d9d68 100644
--- a/Userland/Libraries/LibWeb/HTML/Parser/HTMLEncodingDetection.cpp
+++ b/Userland/Libraries/LibWeb/HTML/Parser/HTMLEncodingDetection.cpp
@@ -321,12 +321,12 @@ Optional<ByteString> run_prescan_byte_stream_algorithm(DOM::Document& document,
             prescan_skip_whitespace_and_slashes(input, position);
             while (prescan_get_attribute(document, input, position)) { };
         } else if (!prescan_should_abort(input, position + 1) && input[position] == '<' && (input[position + 1] == '!' || input[position + 1] == '/' || input[position + 1] == '?')) {
-            position += 2;
-            while (input[position] != '>') {
-                ++position;
+            position += 1;
+            do {
+                position += 1;
                 if (prescan_should_abort(input, position))
                     return {};
-            }
+            } while (input[position] != '>');
         } else {
             // Do nothing.
         }