Fix for ASSERT and more with bad CSS input.

Source/core/css/CSSTokenizer-in.cpp

 /*
  * Copyright (C) 2003 Lars Knoll (knoll@kde.org)
  * Copyright (C) 2005 Allan Sandfeld Jensen (kde@carewolf.com)
  * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 Apple Inc. All rights reserved.
  * Copyright (C) 2007 Nicholas Shanks <webkit@nickshanks.com>
  * Copyright (C) 2008 Eric Seidel <eric@webkit.org>
  * Copyright (C) 2009 Torch Mobile Inc. All rights reserved. (http://www.torchmobile.com/)
  * Copyright (C) 2012 Adobe Systems Incorporated. All rights reserved.
  * Copyright (C) 2012 Intel Corporation. All rights reserved.
  *
@@ skipping 336 matching lines @@
 }
 
 template <typename CharacterType>
 inline bool CSSTokenizer::isIdentifierStart()
 {
     // Check whether an identifier is started.
     return isIdentifierStartAfterDash((*currentCharacter<CharacterType>() != '-') ? currentCharacter<CharacterType>() : currentCharacter<CharacterType>() + 1);
 }
 
 template <typename CharacterType>
-static inline CharacterType* checkAndSkipString(CharacterType* currentCharacter, int quote)
+static inline CharacterType* checkAndSkipString(CharacterType* currentCharacter, int quote, bool validate)

[eseidel, 2014/04/09 17:47:32]

Please use an enum instead of a bool.

enum ValidateBehavior {
   ValidateString,
   DoNotValidateString,
}

You can probably come up with better names than that.  I'm still not sure what
those mean, but at least they would make teh callsites more readable than
"true", "false".

[Daniel Bratell, 2014/04/09 18:07:39]

Done.

 {
-    // Returns with 0, if string check is failed. Otherwise
-    // it returns with the following character. This is necessary
-    // since we cannot revert escape sequences, thus strings
-    // must be validated before parsing.
+    // Returns with 0, if validate is true and string check is
+    // failed. Otherwise it returns with the following character. This
+    // is necessary since we cannot revert escape sequences, thus
+    // strings must be validated before parsing.
     while (true) {
         if (UNLIKELY(*currentCharacter == quote)) {
             // String parsing is successful.
             return currentCharacter + 1;
         }
         if (UNLIKELY(!*currentCharacter)) {
             // String parsing is successful up to end of input.
             return currentCharacter;
         }
-        if (UNLIKELY(*currentCharacter <= '\r' && (*currentCharacter == '\n' || (*currentCharacter | 0x1) == '\r'))) {
+        if (validate && UNLIKELY(*currentCharacter <= '\r' && (*currentCharacter == '\n' || (*currentCharacter | 0x1) == '\r'))) {
             // String parsing is failed for character '\n', '\f' or '\r'.
             return 0;
         }
 
         if (LIKELY(currentCharacter[0] != '\\')) {
             ++currentCharacter;
         } else if (currentCharacter[1] == '\n' || currentCharacter[1] == '\f') {
             currentCharacter += 2;
         } else if (currentCharacter[1] == '\r') {
             currentCharacter += currentCharacter[2] == '\n' ? 3 : 2;
         } else {
-            currentCharacter = checkAndSkipEscape(currentCharacter);
-            if (!currentCharacter)
-                return 0;
+            CharacterType* next = checkAndSkipEscape(currentCharacter);
+            if (!next) {
+                if (validate)
+                    return 0;
+                next = currentCharacter + 1;
+            }
+            currentCharacter = next;
         }
     }
 }
 
 template <typename CharacterType>
 unsigned CSSTokenizer::parseEscape(CharacterType*& src)
 {
     ASSERT(*src == '\\' && isCSSEscape(src[1]));
 
     unsigned unicode = 0;
@@ skipping 114 matching lines @@
 }
 
 template <typename SrcCharacterType>
 size_t CSSTokenizer::peekMaxStringLen(SrcCharacterType* src, UChar quote)
 {
     // The decoded form of a CSS string (after resolving escape
     // sequences) will not contain more characters (ASCII or UTF-16
     // codepoints) than the input. This code can therefore ignore
     // escape sequences completely and just return the length of the
     // input string (possibly including terminating quote if any).
-    SrcCharacterType* end = checkAndSkipString(src, quote);
+    SrcCharacterType* end = checkAndSkipString(src, quote, false);
     return end ? end - src : 0;
 }
 
 template <typename SrcCharacterType, typename DestCharacterType>
 inline bool CSSTokenizer::parseStringInternal(SrcCharacterType*& src, DestCharacterType*& result, UChar quote)
 {
     while (true) {
         if (UNLIKELY(*src == quote)) {
             // String parsing is done.
             ++src;
             return true;
         }
         if (UNLIKELY(!*src)) {
             // String parsing is done, but don't advance pointer if at the end of input.
             return true;
         }
-        ASSERT(*src > '\r' || (*src < '\n' && *src) || *src == '\v');
-
         if (LIKELY(src[0] != '\\')) {
             *result++ = *src++;
         } else if (src[1] == '\n' || src[1] == '\f') {
             src += 2;
         } else if (src[1] == '\r') {
             src += src[2] == '\n' ? 3 : 2;
         } else {
             SrcCharacterType* savedEscapeStart = src;
             unsigned unicode = parseEscape<SrcCharacterType>(src);
             if (unicode > 0xff && sizeof(DestCharacterType) == 1) {
@@ skipping 32 matching lines @@
     resultString.init(start, result - start);
 }
 
 template <typename CharacterType>
 inline bool CSSTokenizer::findURI(CharacterType*& start, CharacterType*& end, UChar& quote)
 {
     start = skipWhiteSpace(currentCharacter<CharacterType>());
 
     if (*start == '"' || *start == '\'') {
         quote = *start++;
-        end = checkAndSkipString(start, quote);
+        end = checkAndSkipString(start, quote, true);
         if (!end)
             return false;
     } else {
         quote = 0;
         end = start;
         while (isURILetter(*end)) {
             if (LIKELY(*end != '\\')) {
                 ++end;
             } else {
                 end = checkAndSkipEscape(end);
@@ skipping 758 matching lines @@
         if (m_parsingMode == MediaQueryMode || m_parsingMode == SupportsMode)
             m_parsingMode = NormalMode;
         break;
 
     case CharacterEndNthChild:
         if (m_parsingMode == NthChildMode)
             m_parsingMode = NormalMode;
         break;
 
     case CharacterQuote:
-        if (checkAndSkipString(currentCharacter<SrcCharacterType>(), m_token)) {
+        if (checkAndSkipString(currentCharacter<SrcCharacterType>(), m_token, true)) {
             ++result;
             parseString<SrcCharacterType>(result, yylval->string, m_token);
             m_token = STRING;
         }
         break;
 
     case CharacterExclamationMark: {
         SrcCharacterType* start = skipWhiteSpace(currentCharacter<SrcCharacterType>());
         if (isEqualToCSSIdentifier(start, "important")) {
             m_token = IMPORTANT_SYM;
@@ skipping 198 matching lines @@
     m_dataStart16[length - 1] = 0;
 
     m_is8BitSource = false;
     m_currentCharacter8 = 0;
     m_currentCharacter16 = m_dataStart16.get();
     setTokenStart<UChar>(m_currentCharacter16);
     m_lexFunc = &CSSTokenizer::realLex<UChar>;
 }
 
 } // namespace WebCore