[Minor] Css: Fix OOB reading

author Vsevolod Stakhov <vsevolod@highsecure.ru>

Mon, 10 May 2021 19:32:12 +0000 (20:32 +0100)

committer Vsevolod Stakhov <vsevolod@highsecure.ru>

Mon, 10 May 2021 19:32:12 +0000 (20:32 +0100)
author Vsevolod Stakhov <vsevolod@highsecure.ru>
Mon, 10 May 2021 19:32:12 +0000 (20:32 +0100)
committer Vsevolod Stakhov <vsevolod@highsecure.ru>
Mon, 10 May 2021 19:32:12 +0000 (20:32 +0100)
diff --git a/src/libserver/css/css_parser.cxx b/src/libserver/css/css_parser.cxx

index 2af484043723c844466f3bae2aeb6a858d9f5b9b..9f93a7e2544886f878fd963c1b62aad21ef5828d 100644 (file)
--- a/src/libserver/css/css_parser.cxx
+++ b/src/libserver/css/css_parser.cxx
@@ -836,6 +836,7 @@ TEST_SUITE("css parser") {
                         ".chat-icon[_ng-cnj-c0]::before{content:url(group-2.63e87cd21fbf8c966dd.svg);width:60px;height:60px;display:block}",
                         "tt{color:#1e3482}",
                         "tt{unicode-range: u+0049-u+004a,u+0020;}",
+                       "@import url(https://fonts.googleapis.com/css?family=arial:300,400,7000;",
                 };
  
                 rspamd_mempool_t *pool = rspamd_mempool_new(rspamd_mempool_suggest_size(),
diff --git a/src/libserver/css/css_tokeniser.cxx b/src/libserver/css/css_tokeniser.cxx

index 8d08eb7a208f0c10896853c31ed9434614b4a769..d07b017a384a4f509768a16b489d06b14398fbfc 100644 (file)
--- a/src/libserver/css/css_tokeniser.cxx
+++ b/src/libserver/css/css_tokeniser.cxx
@@ -250,7 +250,7 @@ auto css_tokeniser::consume_ident(bool allow_number) -> struct css_parser_token
                                 }
  
                                 if (input.size() - offset > 3 && input.substr(offset, 3) == "url") {
-                                       if (input[j] == '"' || input[j] == '\'') {
+                                       if (j < input.size() && (input[j] == '"' || input[j] == '\'')) {
                                                 /* Function token */
                                                 auto ret = maybe_escape_sv(i,
                                                                 css_parser_token::token_type::function_token);
@@ -262,7 +262,7 @@ auto css_tokeniser::consume_ident(bool allow_number) -> struct css_parser_token
                                                         j++;
                                                 }
  
-                                               if (input[j] == ')') {
+                                               if (j < input.size() && input[j] == ')') {
                                                         /* Valid url token */
                                                         auto ret = maybe_escape_sv(j + 1,
                                                                         css_parser_token::token_type::url_token);
author	Vsevolod Stakhov <vsevolod@highsecure.ru>
	Mon, 10 May 2021 19:32:12 +0000 (20:32 +0100)
committer	Vsevolod Stakhov <vsevolod@highsecure.ru>
	Mon, 10 May 2021 19:32:12 +0000 (20:32 +0100)
src/libserver/css/css_parser.cxx		patch \| blob \| blame \| history
src/libserver/css/css_tokeniser.cxx		patch \| blob \| blame \| history