From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Mon, 10 May 2021 19:32:12 +0000 (+0100)
Subject: [Minor] Css: Fix OOB reading
X-Git-Tag: 3.0~423
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6d6bd488d30014ff95b5e4714142637768c87241;p=thirdparty%2Frspamd.git

[Minor] Css: Fix OOB reading
---

diff --git a/src/libserver/css/css_parser.cxx b/src/libserver/css/css_parser.cxx
index 2af4840437..9f93a7e254 100644
--- a/src/libserver/css/css_parser.cxx
+++ b/src/libserver/css/css_parser.cxx
@@ -836,6 +836,7 @@ TEST_SUITE("css parser") {
 			".chat-icon[_ng-cnj-c0]::before{content:url(group-2.63e87cd21fbf8c966dd.svg);width:60px;height:60px;display:block}",
 			"tt{color:#1e3482}",
 			"tt{unicode-range: u+0049-u+004a,u+0020;}",
+			"@import url(https://fonts.googleapis.com/css?family=arial:300,400,7000;",
 		};
 
 		rspamd_mempool_t *pool = rspamd_mempool_new(rspamd_mempool_suggest_size(),
diff --git a/src/libserver/css/css_tokeniser.cxx b/src/libserver/css/css_tokeniser.cxx
index 8d08eb7a20..d07b017a38 100644
--- a/src/libserver/css/css_tokeniser.cxx
+++ b/src/libserver/css/css_tokeniser.cxx
@@ -250,7 +250,7 @@ auto css_tokeniser::consume_ident(bool allow_number) -> struct css_parser_token
 				}
 
 				if (input.size() - offset > 3 && input.substr(offset, 3) == "url") {
-					if (input[j] == '"' || input[j] == '\'') {
+					if (j < input.size() && (input[j] == '"' || input[j] == '\'')) {
 						/* Function token */
 						auto ret = maybe_escape_sv(i,
 								css_parser_token::token_type::function_token);
@@ -262,7 +262,7 @@ auto css_tokeniser::consume_ident(bool allow_number) -> struct css_parser_token
 							j++;
 						}
 
-						if (input[j] == ')') {
+						if (j < input.size() && input[j] == ')') {
 							/* Valid url token */
 							auto ret = maybe_escape_sv(j + 1,
 									css_parser_token::token_type::url_token);