RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-31 15:38:10 +00:00
Code Issues Activity Actions

LibWeb: Fix Array OOBs in the HTMLTokenizer

Browse source 
Accessing last() if there are no elements makes WebContent crash :^)
This commit is contained in:
stelar7 2022-06-02 01:03:44 +02:00 committed by Linus Groh
parent 997890c94e
commit e547f5887e
1 changed files with 16 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

26
Userland/Libraries/LibWeb/HTML/Parser/HTMLTokenizer.cpp
View file

@ -210,15 +210,18 @@ Optional<u32> HTMLTokenizer::next_code_point()
void HTMLTokenizer::skip(size_t count) void HTMLTokenizer::skip(size_t count)
{ {
m_source_positions.append(m_source_positions.last()); if (!m_source_positions.is_empty())
m_source_positions.append(m_source_positions.last());
for (size_t i = 0; i < count; ++i) { for (size_t i = 0; i < count; ++i) {
m_prev_utf8_iterator = m_utf8_iterator; m_prev_utf8_iterator = m_utf8_iterator;
auto code_point = *m_utf8_iterator; auto code_point = *m_utf8_iterator;
if (code_point == '\n') { if (!m_source_positions.is_empty()) {
m_source_positions.last().column = 0; if (code_point == '\n') {
m_source_positions.last().line++; m_source_positions.last().column = 0;
} else { m_source_positions.last().line++;
m_source_positions.last().column++; } else {
m_source_positions.last().column++;
}
} }
++m_utf8_iterator; ++m_utf8_iterator;
} }
@ -245,7 +248,7 @@ HTMLToken::Position HTMLTokenizer::nth_last_position(size_t n)
Optional<HTMLToken> HTMLTokenizer::next_token() Optional<HTMLToken> HTMLTokenizer::next_token()
{ {
{ if (!m_source_positions.is_empty()) {
auto last_position = m_source_positions.last(); auto last_position = m_source_positions.last();
m_source_positions.clear_with_capacity(); m_source_positions.clear_with_capacity();
m_source_positions.append(move(last_position)); m_source_positions.append(move(last_position));
@ -1190,7 +1193,8 @@ _StartOfFunction:
ANYTHING_ELSE ANYTHING_ELSE
{ {
m_current_token.add_attribute({}); m_current_token.add_attribute({});
m_current_token.last_attribute().name_start_position = m_source_positions.last(); if (!m_source_positions.is_empty())
m_current_token.last_attribute().name_start_position = m_source_positions.last();
RECONSUME_IN(AttributeName); RECONSUME_IN(AttributeName);
} }
} }
@ -2867,8 +2871,10 @@ void HTMLTokenizer::restore_to(Utf8CodePointIterator const& new_iterator)
{ {
auto diff = m_utf8_iterator - new_iterator; auto diff = m_utf8_iterator - new_iterator;
if (diff > 0) { if (diff > 0) {
for (ssize_t i = 0; i < diff; ++i) for (ssize_t i = 0; i < diff; ++i) {
m_source_positions.take_last(); if (!m_source_positions.is_empty())
m_source_positions.take_last();
}
} else { } else {
// Going forwards...? // Going forwards...?
TODO(); TODO();