ASSERTION FAILED: character != kEndOfFileMarker in WebCore::HTMLTokenizer::bufferChar...
authordarin@apple.com <darin@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 8 Jan 2015 21:12:08 +0000 (21:12 +0000)
committerdarin@apple.com <darin@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 8 Jan 2015 21:12:08 +0000 (21:12 +0000)
commit55b4dd7bb49ab66c178896bf64aa08be2c72ee55
tree598dd2716839f3ce6d454db4bb5a92906966210e
parent1c927c4dca8b61b96b62e1613792335f63d10ceb
ASSERTION FAILED: character != kEndOfFileMarker in WebCore::HTMLTokenizer::bufferCharacter
https://bugs.webkit.org/show_bug.cgi?id=140179

Reviewed by Anders Carlsson.

Source/WebCore:

Test: fast/parser/numeric-entities.html

* html/parser/HTMLEntityParser.cpp:
(WebCore::HTMLEntityParser::legalEntityFor): Merged adjustEntity logic in here.
Since the type UChar32 is a signed integer, need to check for <= 0, not just 0.
This <= change alone would have fixed the bug.

* xml/parser/CharacterReferenceParserInlines.h:
(WebCore::consumeCharacterReference): Added overflow checking when parsing hex
and decimal character references. This change alone would also have fixed the
bug, but in addition it makes overflow cases reliably generate replacement
characters rather than ignoring the overflow and producing seemingly random
characters. Test cases cover the original reported bug and other overflow cases.

LayoutTests:

* fast/parser/numeric-entities-expected.txt: Added.
* fast/parser/numeric-entities.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@178128 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/parser/numeric-entities-expected.txt [new file with mode: 0644]
LayoutTests/fast/parser/numeric-entities.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/parser/HTMLEntityParser.cpp
Source/WebCore/xml/parser/CharacterReferenceParserInlines.h