[Minor] css: fix out-of-bounds read in ident escape scanner

consume_ident scanned a backslash escape with a do-while that read
input[++i] at the top of the body but checked i < input.size() only
at the bottom. When i reached input.size() - 1 the loop re-entered
and input[++i] read one element past the string_view.

CSS reaches the tokeniser from style attributes whose value lives in
a tightly sized mempool buffer, so a token ending in backslash plus a
hex digit produced a one-byte heap over-read. Gate the increment with
i + 1 < input.size().

diff --git a/src/libserver/css/css_tokeniser.cxx b/src/libserver/css/css_tokeniser.cxx
index bd5ce0c6c2313022fa4b4094d94075ba3d90a660..418679ab835a6972c3e1e14dc73327dffcf93663 100644 (file)
--- a/src/libserver/css/css_tokeniser.cxx
+++ b/src/libserver/css/css_tokeniser.cxx
@@ -236,7 +236,7 @@ auto css_tokeniser::consume_ident(bool allow_number) -> struct css_parser_token
                                                /* Single \ + char */
                                                break;
                                        }
-                               } while (i < input.size());
+                               } while (i + 1 < input.size());
                        }
                        else if (c == '(') {
                                /* Function or url token */