LibWeb: Fix Array OOBs in the HTMLTokenizer

Accessing last() if there are no elements makes WebContent crash :^)
author: stelar7 <dudedbz@gmail.com> 2022-06-02 01:03:44 +0200
committer: Linus Groh <mail@linusgroh.de> 2022-06-03 12:29:11 +0100
commit: e547f5887ebb396223f42ad1e7cf25b495e88534 (patch)
tree: 384bbd5905c7169524dd4caa4d86be40c117612c /Userland/Libraries
parent: 997890c94ec4e640ebec8e44f5aee6a76ec46976 (diff)
download: serenity-e547f5887ebb396223f42ad1e7cf25b495e88534.zip
1 files changed, 16 insertions, 10 deletions
diff --git a/Userland/Libraries/LibWeb/HTML/Parser/HTMLTokenizer.cpp b/Userland/Libraries/LibWeb/HTML/Parser/HTMLTokenizer.cpp
index 42a1df321b..410f542bd7 100644
--- a/Userland/Libraries/LibWeb/HTML/Parser/HTMLTokenizer.cpp
+++ b/Userland/Libraries/LibWeb/HTML/Parser/HTMLTokenizer.cpp
@@ -210,15 +210,18 @@ Optional<u32> HTMLTokenizer::next_code_point()
 
 void HTMLTokenizer::skip(size_t count)
 {
-    m_source_positions.append(m_source_positions.last());
+    if (!m_source_positions.is_empty())
+        m_source_positions.append(m_source_positions.last());
     for (size_t i = 0; i < count; ++i) {
         m_prev_utf8_iterator = m_utf8_iterator;
         auto code_point = *m_utf8_iterator;
-        if (code_point == '\n') {
-            m_source_positions.last().column = 0;
-            m_source_positions.last().line++;
-        } else {
-            m_source_positions.last().column++;
+        if (!m_source_positions.is_empty()) {
+            if (code_point == '\n') {
+                m_source_positions.last().column = 0;
+                m_source_positions.last().line++;
+            } else {
+                m_source_positions.last().column++;
+            }
         }
         ++m_utf8_iterator;
     }
@@ -245,7 +248,7 @@ HTMLToken::Position HTMLTokenizer::nth_last_position(size_t n)
 
 Optional<HTMLToken> HTMLTokenizer::next_token()
 {
-    {
+    if (!m_source_positions.is_empty()) {
         auto last_position = m_source_positions.last();
         m_source_positions.clear_with_capacity();
         m_source_positions.append(move(last_position));
@@ -1190,7 +1193,8 @@ _StartOfFunction:
                 ANYTHING_ELSE
                 {
                     m_current_token.add_attribute({});
-                    m_current_token.last_attribute().name_start_position = m_source_positions.last();
+                    if (!m_source_positions.is_empty())
+                        m_current_token.last_attribute().name_start_position = m_source_positions.last();
                     RECONSUME_IN(AttributeName);
                 }
             }
@@ -2867,8 +2871,10 @@ void HTMLTokenizer::restore_to(Utf8CodePointIterator const& new_iterator)
 {
     auto diff = m_utf8_iterator - new_iterator;
     if (diff > 0) {
-        for (ssize_t i = 0; i < diff; ++i)
-            m_source_positions.take_last();
+        for (ssize_t i = 0; i < diff; ++i) {
+            if (!m_source_positions.is_empty())
+                m_source_positions.take_last();
+        }
     } else {
         // Going forwards...?
         TODO();
author	stelar7 <dudedbz@gmail.com>	2022-06-02 01:03:44 +0200
committer	Linus Groh <mail@linusgroh.de>	2022-06-03 12:29:11 +0100
commit	e547f5887ebb396223f42ad1e7cf25b495e88534 (patch)
tree	384bbd5905c7169524dd4caa4d86be40c117612c /Userland/Libraries
parent	997890c94ec4e640ebec8e44f5aee6a76ec46976 (diff)
download	serenity-e547f5887ebb396223f42ad1e7cf25b495e88534.zip