Bug 41983 - Assertion failure in String::utf8() for certain invalid UTF16 inputs
Summary: Assertion failure in String::utf8() for certain invalid UTF16 inputs
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Web Template Framework (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Kenneth Russell
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-07-09 13:47 PDT by Kenneth Russell
Modified: 2010-07-09 17:34 PDT (History)
6 users (show)

See Also:

Attachments
Patch (4.41 KB, patch)
2010-07-09 13:55 PDT, Kenneth Russell 		dglazkov: review+
kbr: commit-queue-
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kenneth Russell 2010-07-09 13:47:25 PDT 
If the UTF16 data in a String contains a high surrogate as its last character, and convertUTF16ToUTF8 (JavaScriptCore/wtf/unicode/UTF8.cpp) thereby returns sourceExhausted, the following assert in WTFString.cpp (~line 666) will fail:

ASSERT((characters + 1) == (characters + length));

It looks to me like this assertion should be:

ASSERT((characters + 1) == (this->characters() + length));

Patch coming. I've tried to provoke this crash by sending down invalid String inputs from JavaScript to a couple of DOM entry points, but the only way I've been able to get String::utf8() called on arbitrary JavaScript string inputs is via WebGL APIs.
Comment 1 Kenneth Russell 2010-07-09 13:55:25 PDT 
Created attachment 61085 [details]
Patch

From the ChangeLog:

Fixed assertion when sourceExhausted is returned from convertUTF16ToUTF8.
Comment 2 Dimitri Glazkov (Google) 2010-07-09 14:21:32 PDT 
Comment on attachment 61085 [details]
Patch

Awesome :)
Comment 3 Kenneth Russell 2010-07-09 17:34:31 PDT 
Committed r63016: <http://trac.webkit.org/changeset/63016>