Bug 41983

Summary: Assertion failure in String::utf8() for certain invalid UTF16 inputs
Product: WebKit Reporter: Kenneth Russell <kbr>
Component: Web Template FrameworkAssignee: Kenneth Russell <kbr>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, cmarrin, darin, dglazkov, oliver, zmo
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch dglazkov: review+, kbr: commit-queue-

Description Kenneth Russell 2010-07-09 13:47:25 PDT 
If the UTF16 data in a String contains a high surrogate as its last character, and convertUTF16ToUTF8 (JavaScriptCore/wtf/unicode/UTF8.cpp) thereby returns sourceExhausted, the following assert in WTFString.cpp (~line 666) will fail:

ASSERT((characters + 1) == (characters + length));

It looks to me like this assertion should be:

ASSERT((characters + 1) == (this->characters() + length));

Patch coming. I've tried to provoke this crash by sending down invalid String inputs from JavaScript to a couple of DOM entry points, but the only way I've been able to get String::utf8() called on arbitrary JavaScript string inputs is via WebGL APIs.
Comment 1 Kenneth Russell 2010-07-09 13:55:25 PDT 
Created attachment 61085 [details]
Patch

From the ChangeLog:

Fixed assertion when sourceExhausted is returned from convertUTF16ToUTF8.
Comment 2 Dimitri Glazkov (Google) 2010-07-09 14:21:32 PDT 
Comment on attachment 61085 [details]
Patch

Awesome :)
Comment 3 Kenneth Russell 2010-07-09 17:34:31 PDT 
Committed r63016: <http://trac.webkit.org/changeset/63016>