RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-10-31 13:32:45 +00:00
Code Issues Activity Actions

LibWeb: Prevent OOB access in HTMLEncodingDetection for input of '</'

Browse source 
Previously, this never checked if `position + 2` was valid. This
slightly reorders the loop so all indices are checked.

Fixes #22163
This commit is contained in:
MacDue 2024-01-04 11:22:20 +00:00 committed by Andreas Kling
parent 3f52d6045a
commit 5e973fca0b
3 changed files with 17 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

8
Userland/Libraries/LibWeb/HTML/Parser/HTMLEncodingDetection.cpp
View file

@ -321,12 +321,12 @@ Optional<ByteString> run_prescan_byte_stream_algorithm(DOM::Document& document,
prescan_skip_whitespace_and_slashes(input, position);
while (prescan_get_attribute(document, input, position)) { };
} else if (!prescan_should_abort(input, position + 1) && input[position] == '<' && (input[position + 1] == '!' || input[position + 1] == '/' || input[position + 1] == '?')) {
position += 2;
while (input[position] != '>') {
++position;
position += 1;
do {
position += 1;
if (prescan_should_abort(input, position))
return {};
}
} while (input[position] != '>');
} else {
// Do nothing.
}