41983 2010-07-09 13:47:25 -0700 Assertion failure in String::utf8() for certain invalid UTF16 inputs 2010-07-09 17:34:31 -0700 1 1 1 Unclassified WebKit Web Template Framework 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 1 kbr kbr barraclough cmarrin darin dglazkov oliver zmo oldest_to_newest 249232 0 kbr 2010-07-09 13:47:25 -0700 If the UTF16 data in a String contains a high surrogate as its last character, and convertUTF16ToUTF8 (JavaScriptCore/wtf/unicode/UTF8.cpp) thereby returns sourceExhausted, the following assert in WTFString.cpp (~line 666) will fail: ASSERT((characters + 1) == (characters + length)); It looks to me like this assertion should be: ASSERT((characters + 1) == (this->characters() + length)); Patch coming. I've tried to provoke this crash by sending down invalid String inputs from JavaScript to a couple of DOM entry points, but the only way I've been able to get String::utf8() called on arbitrary JavaScript string inputs is via WebGL APIs. 249239 1 61085 kbr 2010-07-09 13:55:25 -0700 Created attachment 61085 Patch From the ChangeLog: Fixed assertion when sourceExhausted is returned from convertUTF16ToUTF8. 249265 2 61085 dglazkov 2010-07-09 14:21:32 -0700 Comment on attachment 61085 Patch Awesome :) 249381 3 kbr 2010-07-09 17:34:31 -0700 Committed r63016: <http://trac.webkit.org/changeset/63016> 61085 2010-07-09 13:55:25 -0700 2010-07-09 14:21:32 -0700 Patch utf8.patch text/plain 4514 kbr SW5kZXg6IEphdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBKYXZhU2NyaXB0 Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDYyOTkxKQorKysgSmF2YVNjcmlwdENvcmUvQ2hhbmdl TG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTQgQEAKKzIwMTAtMDctMDkgIEtlbm5ldGgg UnVzc2VsbCAgPGtickBnb29nbGUuY29tPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAo T09QUyEpLgorCisgICAgICAgIEFzc2VydGlvbiBmYWlsdXJlIGluIFN0cmluZzo6dXRmOCgpIGZv ciBjZXJ0YWluIGludmFsaWQgVVRGMTYgaW5wdXRzCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJr aXQub3JnL3Nob3dfYnVnLmNnaT9pZD00MTk4MworCisgICAgICAgICogd3RmL3RleHQvV1RGU3Ry aW5nLmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OlN0cmluZzo6dXRmOCk6CisgICAgICAgICAtIEZp eGVkIGFzc2VydGlvbiB3aGVuIHNvdXJjZUV4aGF1c3RlZCBpcyByZXR1cm5lZCBmcm9tIGNvbnZl cnRVVEYxNlRvVVRGOC4KKwogMjAxMC0wNy0wOCAgT2xpdmVyIEh1bnQgIDxvbGl2ZXJAYXBwbGUu Y29tPgogCiAgICAgICAgIFJldmlld2VkIGJ5IFNhbSBXZWluaWcuCkluZGV4OiBKYXZhU2NyaXB0 Q29yZS93dGYvdGV4dC9XVEZTdHJpbmcuY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIEphdmFTY3JpcHRDb3Jl L3d0Zi90ZXh0L1dURlN0cmluZy5jcHAJKHJldmlzaW9uIDYyOTkwKQorKysgSmF2YVNjcmlwdENv cmUvd3RmL3RleHQvV1RGU3RyaW5nLmNwcAkod29ya2luZyBjb3B5KQpAQCAtNjYzLDcgKzY2Myw3 IEBAIENTdHJpbmcgU3RyaW5nOjp1dGY4KCkgY29uc3QKICAgICAvLyBzaW1wbHkgZW5jb2RlIGl0 IHRvIFVURi04LgogICAgIGlmIChyZXN1bHQgPT0gc291cmNlRXhoYXVzdGVkKSB7CiAgICAgICAg IC8vIFRoaXMgc2hvdWxkIGJlIG9uZSB1bnBhaXJlZCBoaWdoIHN1cnJvZ2F0ZS4KLSAgICAgICAg QVNTRVJUKChjaGFyYWN0ZXJzICsgMSkgPT0gKGNoYXJhY3RlcnMgKyBsZW5ndGgpKTsKKyAgICAg ICAgQVNTRVJUKChjaGFyYWN0ZXJzICsgMSkgPT0gKHRoaXMtPmNoYXJhY3RlcnMoKSArIGxlbmd0 aCkpOwogICAgICAgICBBU1NFUlQoKCpjaGFyYWN0ZXJzID49IDB4RDgwMCkgJiYgKCpjaGFyYWN0 ZXJzIDw9IDB4REJGRikpOwogICAgICAgICAvLyBUaGVyZSBzaG91bGQgYmUgcm9vbSBsZWZ0LCBz aW5jZSBvbmUgVUNoYXIgaGFzbid0IGJlZW4gY29udmVydGVkLgogICAgICAgICBBU1NFUlQoKGJ1 ZmZlciArIDMpIDw9IChidWZmZXIgKyBidWZmZXJWZWN0b3Iuc2l6ZSgpKSk7CkluZGV4OiBMYXlv dXRUZXN0cy9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCShy ZXZpc2lvbiA2Mjk5MSkKKysrIExheW91dFRlc3RzL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpA QCAtMSwzICsxLDEzIEBACisyMDEwLTA3LTA5ICBLZW5uZXRoIFJ1c3NlbGwgIDxrYnJAZ29vZ2xl LmNvbT4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBB c3NlcnRpb24gZmFpbHVyZSBpbiBTdHJpbmc6OnV0ZjgoKSBmb3IgY2VydGFpbiBpbnZhbGlkIFVU RjE2IGlucHV0cworICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/ aWQ9NDE5ODMKKworICAgICAgICAqIGZhc3QvY2FudmFzL3dlYmdsL2ludmFsaWQtVVRGLTE2LWV4 cGVjdGVkLnR4dDogQWRkZWQuCisgICAgICAgICogZmFzdC9jYW52YXMvd2ViZ2wvaW52YWxpZC1V VEYtMTYuaHRtbDogQWRkZWQuCisKIDIwMTAtMDctMDkgIFhpYW9tZWkgSmkgIDx4amlAY2hyb21p dW0ub3JnPgogCiAgICAgICAgIFJldmlld2VkIGJ5IERhdmlkIExldmluLgpJbmRleDogTGF5b3V0 VGVzdHMvZmFzdC9jYW52YXMvd2ViZ2wvaW52YWxpZC1VVEYtMTYtZXhwZWN0ZWQudHh0Cj09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT0KLS0tIExheW91dFRlc3RzL2Zhc3QvY2FudmFzL3dlYmdsL2ludmFsaWQtVVRGLTE2LWV4 cGVjdGVkLnR4dAkocmV2aXNpb24gMCkKKysrIExheW91dFRlc3RzL2Zhc3QvY2FudmFzL3dlYmds L2ludmFsaWQtVVRGLTE2LWV4cGVjdGVkLnR4dAkocmV2aXNpb24gMCkKQEAgLTAsMCArMSwxMCBA QAorVGhpcyB0ZXN0IHZlcmlmaWVzIHRoYXQgdGhlIGludGVybmFsIGNvbnZlcnNpb24gZnJvbSBV VEYxNiB0byBVVEY4IGlzIHJvYnVzdCB0byBpbnZhbGlkIGlucHV0cy4gQW55IERPTSBlbnRyeSBw b2ludCB3aGljaCBjb252ZXJ0cyBhbiBpbmNvbWluZyBzdHJpbmcgdG8gVVRGOCBjb3VsZCBiZSB1 c2VkIGZvciB0aGlzIHRlc3QuCisKK09uIHN1Y2Nlc3MsIHlvdSB3aWxsIHNlZSBhIHNlcmllcyBv ZiAiUEFTUyIgbWVzc2FnZXMsIGZvbGxvd2VkIGJ5ICJURVNUIENPTVBMRVRFIi4KKworCitQQVNT IGJpbmRBdHRyaWJMb2NhdGlvbiB3aXRoIGludmFsaWQgVVRGLTE2IGRpZCBub3QgY3Jhc2gKK1BB U1Mgc3VjY2Vzc2Z1bGx5UGFyc2VkIGlzIHRydWUKKworVEVTVCBDT01QTEVURQorCkluZGV4OiBM YXlvdXRUZXN0cy9mYXN0L2NhbnZhcy93ZWJnbC9pbnZhbGlkLVVURi0xNi5odG1sCj09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT0KLS0tIExheW91dFRlc3RzL2Zhc3QvY2FudmFzL3dlYmdsL2ludmFsaWQtVVRGLTE2Lmh0bWwJ KHJldmlzaW9uIDApCisrKyBMYXlvdXRUZXN0cy9mYXN0L2NhbnZhcy93ZWJnbC9pbnZhbGlkLVVU Ri0xNi5odG1sCShyZXZpc2lvbiAwKQpAQCAtMCwwICsxLDQyIEBACis8aHRtbD4KKzxoZWFkPgor PGxpbmsgcmVsPSJzdHlsZXNoZWV0IiBocmVmPSIuLi8uLi9qcy9yZXNvdXJjZXMvanMtdGVzdC1z dHlsZS5jc3MiPgorPHNjcmlwdCBzcmM9Ii4uLy4uL2pzL3Jlc291cmNlcy9qcy10ZXN0LXByZS5q cyI+PC9zY3JpcHQ+Cis8c2NyaXB0IHNyYz0icmVzb3VyY2VzL3dlYmdsLXRlc3QuanMiPjwvc2Ny aXB0PgorPC9oZWFkPgorPGJvZHk+Cis8cCBpZD0iZGVzY3JpcHRpb24iPjwvcD4KKzxkaXYgaWQ9 ImNvbnNvbGUiPjwvZGl2PgorPHNjcmlwdD4KKyAgICBpZiAod2luZG93LmxheW91dFRlc3RDb250 cm9sbGVyKQorICAgICAgICBsYXlvdXRUZXN0Q29udHJvbGxlci5kdW1wQXNUZXh0KCk7Cis8L3Nj cmlwdD4KKzxzY3JpcHQ+CitkZXNjcmlwdGlvbignVGhpcyB0ZXN0IHZlcmlmaWVzIHRoYXQgdGhl IGludGVybmFsIGNvbnZlcnNpb24gZnJvbSBVVEYxNiB0byBVVEY4IGlzIHJvYnVzdCB0byBpbnZh bGlkIGlucHV0cy4gQW55IERPTSBlbnRyeSBwb2ludCB3aGljaCBjb252ZXJ0cyBhbiBpbmNvbWlu ZyBzdHJpbmcgdG8gVVRGOCBjb3VsZCBiZSB1c2VkIGZvciB0aGlzIHRlc3QuJyk7CisKK3ZhciBh cnJheSA9IFtdOworYXJyYXkucHVzaChTdHJpbmcuZnJvbUNoYXJDb2RlKDB4NDgpKTsgLy8gSAor YXJyYXkucHVzaChTdHJpbmcuZnJvbUNoYXJDb2RlKDB4NjkpKTsgLy8gaQorYXJyYXkucHVzaChT dHJpbmcuZnJvbUNoYXJDb2RlKDB4ZDg3ZSkpOyAvLyBCb2d1cwordmFyIHN0cmluZyA9IGFycmF5 LmpvaW4oJycpOworCisvLyBJbiBvcmRlciB0byBtYWtlIHRoaXMgdGVzdCBub3QgZGVwZW5kIG9u IFdlYkdMLCB0aGUgZm9sbG93aW5nIHdlcmUKKy8vIGF0dGVtcHRlZDoKKy8vICAtIFNlbmQgYSBz dHJpbmcgdG8gY29uc29sZS5sb2cKKy8vICAtIFN1Ym1pdCBhIG1haWx0bzogZm9ybSBjb250YWlu aW5nIGEgdGV4dCBpbnB1dCB3aXRoIHRoZSBib2d1cworLy8gICAgc3RyaW5nCisvLyBUaGUgZmly c3QgY29kZSBwYXRoIGRvZXMgbm90IHBlcmZvcm0gYSB1dGY4IGNvbnZlcnNpb24gb2YgdGhlCisv LyBpbmNvbWluZyBzdHJpbmcgdW5sZXNzIENvbnNvbGU6OnNob3VsZFByaW50RXhjZXB0aW9ucygp IHJldHVybnMKKy8vIHRydWUuIFRoZSBzZWNvbmQgc2VlbXMgdG8gc2FuaXRpemUgdGhlIGZvcm0n cyBpbnB1dCBiZWZvcmUKKy8vIGNvbnZlcnRpbmcgaXQgdG8gYSBVVEY4IHN0cmluZy4KKwordmFy IGdsID0gY3JlYXRlM0RDb250ZXh0KG51bGwpOwordmFyIHByb2dyYW0gPSBnbC5jcmVhdGVQcm9n cmFtKCk7CitnbC5iaW5kQXR0cmliTG9jYXRpb24ocHJvZ3JhbSwgMCwgc3RyaW5nKTsKK3Rlc3RQ YXNzZWQoImJpbmRBdHRyaWJMb2NhdGlvbiB3aXRoIGludmFsaWQgVVRGLTE2IGRpZCBub3QgY3Jh c2giKTsKKworc3VjY2Vzc2Z1bGx5UGFyc2VkID0gdHJ1ZTsKKzwvc2NyaXB0PgorPHNjcmlwdCBz cmM9Ii4uLy4uL2pzL3Jlc291cmNlcy9qcy10ZXN0LXBvc3QuanMiPjwvc2NyaXB0PgorPC9ib2R5 PgorPC9odG1sPgo=