RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 03:57:43 +00:00
Code Issues Activity Actions

LibWeb: Fix crash in HTML encoding detection when handling non-ASCII

Browse source 
The fix here was to stop using StringBuilder::append(char) when told to
append a code point, and switch to StringBuilder::append_code_point(u32)

There's probably a bunch more issues like this, and we should stop using
append(char) in general since it allows building of garbage strings.
This commit is contained in:
Andreas Kling 2023-12-28 23:30:20 +01:00
parent 83f43310fa
commit 9ce267944c
3 changed files with 14 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

7
Tests/LibWeb/Layout/expected/html-encoding-detection-crash.txt Normal file
View file

@ -0,0 +1,7 @@
Viewport <#document> at (0,0) content-size 800x600 children: not-inline
BlockContainer <html> at (0,0) content-size 800x600 [BFC] children: not-inline
BlockContainer <body> at (8,8) content-size 784x0 children: not-inline
ViewportPaintable (Viewport<#document>) [0,0 800x600]
PaintableWithLines (BlockContainer<HTML>) [0,0 800x600]
PaintableWithLines (BlockContainer<BODY>) [8,8 784x0]

1
Tests/LibWeb/Layout/input/html-encoding-detection-crash.html Normal file
View file

@ -0,0 +1 @@
<z==š

12
Userland/Libraries/LibWeb/HTML/Parser/HTMLEncodingDetection.cpp
View file

@ -128,7 +128,7 @@ JS::GCPtr<DOM::Attr> prescan_get_attribute(DOM::Document& document, ByteBuffer c
// -> If it is in the range 0x41 (A) to 0x5A (Z) // -> If it is in the range 0x41 (A) to 0x5A (Z)
if (input[position] >= 'A' && input[position] <= 'Z') { if (input[position] >= 'A' && input[position] <= 'Z') {
// Append the code point b+0x20 to attribute name (where b is the value of the byte at position). (This converts the input to lowercase.) // Append the code point b+0x20 to attribute name (where b is the value of the byte at position). (This converts the input to lowercase.)
attribute_name.append(input[position] + 0x20); attribute_name.append_code_point(input[position] + 0x20);
} }
// -> Anything else // -> Anything else
else { else {
@ -185,7 +185,7 @@ value:
// 4. Otherwise, if the value of the byte at position is in the range 0x41 (A) to 0x5A (Z), // 4. Otherwise, if the value of the byte at position is in the range 0x41 (A) to 0x5A (Z),
// then append a code point to attribute value whose value is 0x20 more than the value of the byte at position. // then append a code point to attribute value whose value is 0x20 more than the value of the byte at position.
if (input[position] >= 'A' && input[position] <= 'Z') { if (input[position] >= 'A' && input[position] <= 'Z') {
attribute_value.append(input[position] + 0x20); attribute_value.append_code_point(input[position] + 0x20);
} }
// 5. Otherwise, append a code point to attribute value whose value is the same as the value of the byte at position. // 5. Otherwise, append a code point to attribute value whose value is the same as the value of the byte at position.
else { else {
@ -206,14 +206,14 @@ value:
// -> If it is in the range 0x41 (A) to 0x5A (Z) // -> If it is in the range 0x41 (A) to 0x5A (Z)
if (input[position] >= 'A' && input[position] <= 'Z') { if (input[position] >= 'A' && input[position] <= 'Z') {
// Append a code point b+0x20 to attribute value (where b is the value of the byte at position). // Append a code point b+0x20 to attribute value (where b is the value of the byte at position).
attribute_value.append(input[position] + 0x20); attribute_value.append_code_point(input[position] + 0x20);
// Advance position to the next byte. // Advance position to the next byte.
++position; ++position;
} }
// -> Anything else // -> Anything else
else { else {
// Append a code point with the same value as the byte at position to attribute value. // Append a code point with the same value as the byte at position to attribute value.
attribute_value.append(input[position]); attribute_value.append_code_point(input[position]);
// Advance position to the next byte. // Advance position to the next byte.
++position; ++position;
} }
@ -232,12 +232,12 @@ value:
// -> If it is in the range 0x41 (A) to 0x5A (Z) // -> If it is in the range 0x41 (A) to 0x5A (Z)
if (input[position] >= 'A' && input[position] <= 'Z') { if (input[position] >= 'A' && input[position] <= 'Z') {
// Append a code point b+0x20 to attribute value (where b is the value of the byte at position). // Append a code point b+0x20 to attribute value (where b is the value of the byte at position).
attribute_value.append(input[position] + 0x20); attribute_value.append_code_point(input[position] + 0x20);
} }
// -> Anything else // -> Anything else
else { else {
// Append a code point with the same value as the byte at position to attribute value. // Append a code point with the same value as the byte at position to attribute value.
attribute_value.append(input[position]); attribute_value.append_code_point(input[position]);
} }
// 12. Advance position to the next byte and return to the previous step. // 12. Advance position to the next byte and return to the previous step.