Fix for ASSERT and more with bad CSS input.

Source/core/css/CSSTokenizer-in.cpp

Index: Source/core/css/CSSTokenizer-in.cpp
diff --git a/Source/core/css/CSSTokenizer-in.cpp b/Source/core/css/CSSTokenizer-in.cpp
index dec709fc12067efc771f95cbb7cf6cfdcce7cfa8..f39fff08b734563e8435555469bfe2fcdd2de7bd 100644
--- a/Source/core/css/CSSTokenizer-in.cpp
+++ b/Source/core/css/CSSTokenizer-in.cpp
@@ -354,12 +354,12 @@ inline bool CSSTokenizer::isIdentifierStart()
 }
 
 template <typename CharacterType>
-static inline CharacterType* checkAndSkipString(CharacterType* currentCharacter, int quote)
+static inline CharacterType* checkAndSkipString(CharacterType* currentCharacter, int quote, bool validate)

[eseidel, 2014/04/09 17:47:32]

Please use an enum instead of a bool.

enum ValidateBehavior {
   ValidateString,
   DoNotValidateString,
}

You can probably come up with better names than that.  I'm still not sure what
those mean, but at least they would make teh callsites more readable than
"true", "false".

[Daniel Bratell, 2014/04/09 18:07:39]

Done.

 {
-    // Returns with 0, if string check is failed. Otherwise
-    // it returns with the following character. This is necessary
-    // since we cannot revert escape sequences, thus strings
-    // must be validated before parsing.
+    // Returns with 0, if validate is true and string check is
+    // failed. Otherwise it returns with the following character. This
+    // is necessary since we cannot revert escape sequences, thus
+    // strings must be validated before parsing.
     while (true) {
         if (UNLIKELY(*currentCharacter == quote)) {
             // String parsing is successful.
@@ -369,7 +369,7 @@ static inline CharacterType* checkAndSkipString(CharacterType* currentCharacter,
             // String parsing is successful up to end of input.
             return currentCharacter;
         }
-        if (UNLIKELY(*currentCharacter <= '\r' && (*currentCharacter == '\n' || (*currentCharacter | 0x1) == '\r'))) {
+        if (validate && UNLIKELY(*currentCharacter <= '\r' && (*currentCharacter == '\n' || (*currentCharacter | 0x1) == '\r'))) {
             // String parsing is failed for character '\n', '\f' or '\r'.
             return 0;
         }
@@ -381,9 +381,13 @@ static inline CharacterType* checkAndSkipString(CharacterType* currentCharacter,
         } else if (currentCharacter[1] == '\r') {
             currentCharacter += currentCharacter[2] == '\n' ? 3 : 2;
         } else {
-            currentCharacter = checkAndSkipEscape(currentCharacter);
-            if (!currentCharacter)
-                return 0;
+            CharacterType* next = checkAndSkipEscape(currentCharacter);
+            if (!next) {
+                if (validate)
+                    return 0;
+                next = currentCharacter + 1;
+            }
+            currentCharacter = next;
         }
     }
 }
@@ -518,7 +522,7 @@ size_t CSSTokenizer::peekMaxStringLen(SrcCharacterType* src, UChar quote)
     // codepoints) than the input. This code can therefore ignore
     // escape sequences completely and just return the length of the
     // input string (possibly including terminating quote if any).
-    SrcCharacterType* end = checkAndSkipString(src, quote);
+    SrcCharacterType* end = checkAndSkipString(src, quote, false);
     return end ? end - src : 0;
 }
 
@@ -535,8 +539,6 @@ inline bool CSSTokenizer::parseStringInternal(SrcCharacterType*& src, DestCharac
             // String parsing is done, but don't advance pointer if at the end of input.
             return true;
         }
-        ASSERT(*src > '\r' || (*src < '\n' && *src) || *src == '\v');
-
         if (LIKELY(src[0] != '\\')) {
             *result++ = *src++;
         } else if (src[1] == '\n' || src[1] == '\f') {
@@ -589,7 +591,7 @@ inline bool CSSTokenizer::findURI(CharacterType*& start, CharacterType*& end, UC
 
     if (*start == '"' || *start == '\'') {
         quote = *start++;
-        end = checkAndSkipString(start, quote);
+        end = checkAndSkipString(start, quote, true);
         if (!end)
             return false;
     } else {
@@ -1368,7 +1370,7 @@ restartAfterComment:
         break;
 
     case CharacterQuote:
-        if (checkAndSkipString(currentCharacter<SrcCharacterType>(), m_token)) {
+        if (checkAndSkipString(currentCharacter<SrcCharacterType>(), m_token, true)) {
             ++result;
             parseString<SrcCharacterType>(result, yylval->string, m_token);
             m_token = STRING;