Bug 41983 - Assertion failure in String::utf8() for certain invalid UTF16 inputs
Summary: Assertion failure in String::utf8() for certain invalid UTF16 inputs
Alias: None
Product: WebKit
Classification: Unclassified
Component: Web Template Framework (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Kenneth Russell
Depends on:
Reported: 2010-07-09 13:47 PDT by Kenneth Russell
Modified: 2010-07-09 17:34 PDT (History)
6 users (show)

See Also:

Patch (4.41 KB, patch)
2010-07-09 13:55 PDT, Kenneth Russell
dglazkov: review+
kbr: commit-queue-
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Kenneth Russell 2010-07-09 13:47:25 PDT
If the UTF16 data in a String contains a high surrogate as its last character, and convertUTF16ToUTF8 (JavaScriptCore/wtf/unicode/UTF8.cpp) thereby returns sourceExhausted, the following assert in WTFString.cpp (~line 666) will fail:

ASSERT((characters + 1) == (characters + length));

It looks to me like this assertion should be:

ASSERT((characters + 1) == (this->characters() + length));

Patch coming. I've tried to provoke this crash by sending down invalid String inputs from JavaScript to a couple of DOM entry points, but the only way I've been able to get String::utf8() called on arbitrary JavaScript string inputs is via WebGL APIs.
Comment 1 Kenneth Russell 2010-07-09 13:55:25 PDT
Created attachment 61085 [details]

From the ChangeLog:

Fixed assertion when sourceExhausted is returned from convertUTF16ToUTF8.
Comment 2 Dimitri Glazkov (Google) 2010-07-09 14:21:32 PDT
Comment on attachment 61085 [details]

Awesome :)
Comment 3 Kenneth Russell 2010-07-09 17:34:31 PDT
Committed r63016: <http://trac.webkit.org/changeset/63016>