Bug 41983

Summary: Assertion failure in String::utf8() for certain invalid UTF16 inputs
Product: WebKit Reporter: Kenneth Russell <kbr>
Component: Web Template FrameworkAssignee: Kenneth Russell <kbr>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, cmarrin, darin, dglazkov, oliver, zmo
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch dglazkov: review+, kbr: commit-queue-

Kenneth Russell
Reported 2010-07-09 13:47:25 PDT
If the UTF16 data in a String contains a high surrogate as its last character, and convertUTF16ToUTF8 (JavaScriptCore/wtf/unicode/UTF8.cpp) thereby returns sourceExhausted, the following assert in WTFString.cpp (~line 666) will fail: ASSERT((characters + 1) == (characters + length)); It looks to me like this assertion should be: ASSERT((characters + 1) == (this->characters() + length)); Patch coming. I've tried to provoke this crash by sending down invalid String inputs from JavaScript to a couple of DOM entry points, but the only way I've been able to get String::utf8() called on arbitrary JavaScript string inputs is via WebGL APIs.
Attachments
Patch (4.41 KB, patch)
2010-07-09 13:55 PDT, Kenneth Russell 		dglazkov: review+
kbr: commit-queue-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Kenneth Russell
Comment 1 2010-07-09 13:55:25 PDT
Created attachment 61085 [details] Patch From the ChangeLog: Fixed assertion when sourceExhausted is returned from convertUTF16ToUTF8.
Dimitri Glazkov (Google)
Comment 2 2010-07-09 14:21:32 PDT
Comment on attachment 61085 [details] Patch Awesome :)
Kenneth Russell
Comment 3 2010-07-09 17:34:31 PDT
Committed r63016: <http://trac.webkit.org/changeset/63016>
Note You need to log in before you can comment on or make changes to this bug.