Fix two off-by-one reads in the CSS parser.

crowell · jeffkaufman · commit 0bc4ce7c8bd7 · 2016-03-07T11:05:40.000-05:00
Fixes #1276 (Squash of 5ac1322, c936eaa, 6dfaf07, and 356a845)
diff --git a/third_party/css_parser/src/webutil/css/parser.cc b/third_party/css_parser/src/webutil/css/parser.cc
@@ -29,14 +29,12 @@
 
 #include "base/logging.h"
 #include "base/macros.h"
-#include "base/scoped_ptr.h"
 #include "strings/strutil.h"
 #include "third_party/utf/utf.h"
 #include "util/gtl/stl_util.h"
 #include "util/utf8/public/unicodetext.h"
 #include "util/utf8/public/unilib.h"
-#include "webutil/css/fallthrough_intended.h"
-#include "webutil/css/string.h"
+#include "webutil/css/fallthrough_intended.h"  // Needed in open source
 #include "webutil/css/string_util.h"
 #include "webutil/css/util.h"
 #include "webutil/css/value.h"
@@ -542,7 +540,7 @@ char32 Parser::ParseEscape() {
     }
     if (end_ - in_ >= 2 && memcmp(in_, "\r\n", 2) == 0)
       in_ += 2;
-    else if (IsSpace(*in_))
+    else if (in_ < end_ && IsSpace(*in_))
       in_++;
   }
 
@@ -926,7 +924,6 @@ Value* Parser::ParseUrl() {
         if (len && rune != Runeerror) {
           s.push_back(rune);
           in_ += len;
-          DCHECK(!Done());
         } else {
           ReportParsingError(kUtf8Error, "UTF8 parsing error in URL");
           in_++;
@@ -2387,7 +2384,9 @@ MediaQuery* Parser::ParseMediaQuery() {
             found_and = true;
           }
         } else {
-          if (ident.empty()) {
+          if (in_ >= end_) {
+            ReportParsingError(kMediaError, "Unexpected EOF");
+          } else if (ident.empty()) {
             ReportParsingError(kMediaError, StringPrintf(
                 "Unexpected char in media query: %c", *in_));
           } else {
diff --git a/third_party/css_parser/src/webutil/css/parser_unittest.cc b/third_party/css_parser/src/webutil/css/parser_unittest.cc
@@ -2696,4 +2696,18 @@ TEST_F(ParserTest, ParseAnyParens) {
   EXPECT_STREQ(" 9 7)", p->in_);
 }
 
+TEST_F(ParserTest, BadPartialImport) {
+  const char kBadPartialImport[] = "@import url(R\xd5\x9b";
+  Parser parser(kBadPartialImport);
+  delete parser.ParseStylesheet();
+  EXPECT_NE(Parser::kNoError, parser.errors_seen_mask());
+}
+
+TEST_F(ParserTest, BadPartialImportEncoding) {
+  const char kBadPartialImportEncoding[] = "@import url(R\xd5";
+  Parser parser(kBadPartialImportEncoding);
+  delete parser.ParseStylesheet();
+  EXPECT_NE(Parser::kNoError, parser.errors_seen_mask());
+}
+
 }  // namespace Css
