Bug 176232

Summary: transformCanLikelyUseFastPath() can read off the end of a string
Product: WebKit Reporter: Simon Fraser (smfr) <simon.fraser>
Component: New BugsAssignee: Simon Fraser (smfr) <simon.fraser>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, darin, dino, simon.fraser, thorton, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Simon Fraser (smfr)
Reported 2017-09-01 10:47:48 PDT
transformCanLikelyUseFastPath() can read off the end of a string
Attachments
Patch (5.38 KB, patch)
2017-09-01 10:53 PDT, Simon Fraser (smfr) 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Simon Fraser (smfr)
Comment 1 2017-09-01 10:53:36 PDT
Created attachment 319617 [details] Patch
Simon Fraser (smfr)
Comment 2 2017-09-01 10:54:01 PDT
rdar://problem/33851237
WebKit Commit Bot
Comment 3 2017-09-01 11:49:05 PDT
Comment on attachment 319617 [details] Patch Clearing flags on attachment: 319617 Committed r221488: <http://trac.webkit.org/changeset/221488>
WebKit Commit Bot
Comment 4 2017-09-01 11:49:06 PDT
All reviewed patches have been landed. Closing bug.
Darin Adler
Comment 5 2017-09-03 17:12:49 PDT
Comment on attachment 319617 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=319617&action=review > Source/WebCore/ChangeLog:11 > + Code added in r220382 could read one byte past the end of the string when looking for the 'z' > + of a rotateZ() function. The code was actually incorrect, testing for the 'z at i+6 after > + already incrementing i by 6. This patch makes the code correctly detect rotateZ(). Is there a test we can write that would have failed before because of the bad "z" check? > Source/WebCore/css/parser/CSSParserFastPaths.cpp:1271 > - if (toASCIILower(chars[i + 6]) == 'z') > + if (toASCIILower(chars[i]) == 'z') Not that this tiny bit of efficiency matters, but all of these can be written more efficiently: if (isASCIIAlphaCaselessEqual(chars[i], 'z')) Same applies for all the other checks above.
Simon Fraser (smfr)
Comment 6 2017-09-05 08:52:13 PDT
(In reply to Darin Adler from comment #5) > Comment on attachment 319617 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=319617&action=review > > > Source/WebCore/ChangeLog:11 > > + Code added in r220382 could read one byte past the end of the string when looking for the 'z' > > + of a rotateZ() function. The code was actually incorrect, testing for the 'z at i+6 after > > + already incrementing i by 6. This patch makes the code correctly detect rotateZ(). > > Is there a test we can write that would have failed before because of the > bad "z" check? No, becuasse we'd just fail the fast parsing and fall back to normal parsing (which is not detectable). > > Source/WebCore/css/parser/CSSParserFastPaths.cpp:1271 > > - if (toASCIILower(chars[i + 6]) == 'z') > > + if (toASCIILower(chars[i]) == 'z') > > Not that this tiny bit of efficiency matters, but all of these can be > written more efficiently: > > if (isASCIIAlphaCaselessEqual(chars[i], 'z')) > > Same applies for all the other checks above. Good to know, will fix.
Note You need to log in before you can comment on or make changes to this bug.