Bug 176232

Summary:

transformCanLikelyUseFastPath() can read off the end of a string

Product:

WebKit

Reporter:

Simon Fraser (smfr) <simon.fraser>

Component:

New Bugs

Assignee:

Simon Fraser (smfr) <simon.fraser>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

commit-queue, darin, dino, simon.fraser, thorton, zalan

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none

Description Simon Fraser (smfr) 2017-09-01 10:47:48 PDT

transformCanLikelyUseFastPath() can read off the end of a string

Comment 1 Simon Fraser (smfr) 2017-09-01 10:53:36 PDT

Created attachment 319617 [details]
Patch

Comment 2 Simon Fraser (smfr) 2017-09-01 10:54:01 PDT

rdar://problem/33851237

Comment 3 WebKit Commit Bot 2017-09-01 11:49:05 PDT

Comment on attachment 319617 [details]
Patch

Clearing flags on attachment: 319617

Committed r221488: <http://trac.webkit.org/changeset/221488>

Comment 4 WebKit Commit Bot 2017-09-01 11:49:06 PDT

All reviewed patches have been landed.  Closing bug.

Comment 5 Darin Adler 2017-09-03 17:12:49 PDT

Comment on attachment 319617 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=319617&action=review

> Source/WebCore/ChangeLog:11
> +        Code added in r220382 could read one byte past the end of the string when looking for the 'z'
> +        of a rotateZ() function. The code was actually incorrect, testing for the 'z at i+6 after
> +        already incrementing i by 6. This patch makes the code correctly detect rotateZ().

Is there a test we can write that would have failed before because of the bad "z" check?

> Source/WebCore/css/parser/CSSParserFastPaths.cpp:1271
> -            if (toASCIILower(chars[i + 6]) == 'z')
> +            if (toASCIILower(chars[i]) == 'z')

Not that this tiny bit of efficiency matters, but all of these can be written more efficiently:

    if (isASCIIAlphaCaselessEqual(chars[i], 'z'))

Same applies for all the other checks above.

Comment 6 Simon Fraser (smfr) 2017-09-05 08:52:13 PDT

(In reply to Darin Adler from comment #5)
> Comment on attachment 319617 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=319617&action=review
> 
> > Source/WebCore/ChangeLog:11
> > +        Code added in r220382 could read one byte past the end of the string when looking for the 'z'
> > +        of a rotateZ() function. The code was actually incorrect, testing for the 'z at i+6 after
> > +        already incrementing i by 6. This patch makes the code correctly detect rotateZ().
> 
> Is there a test we can write that would have failed before because of the
> bad "z" check?

No, becuasse we'd just fail the fast parsing and fall back to normal parsing (which is not detectable).

> > Source/WebCore/css/parser/CSSParserFastPaths.cpp:1271
> > -            if (toASCIILower(chars[i + 6]) == 'z')
> > +            if (toASCIILower(chars[i]) == 'z')
> 
> Not that this tiny bit of efficiency matters, but all of these can be
> written more efficiently:
> 
>     if (isASCIIAlphaCaselessEqual(chars[i], 'z'))
> 
> Same applies for all the other checks above.

Good to know, will fix.