Use ConsumeRestrictedPropertyValue() when testing variable-using prop…

…erty validity. Earlier, the property parser would only receive values that were checked using ConsumeRestrictedPropertyValue(), which has a fail-fast whenever it sees a left brace. However, with the streaming parser being used for value parsing, we just consumed until the end of the semicolon instead, which is correct but misses the fail-fast, causing potential O(n²) behavior with nested rules. Reintroduce it. This also fixes an issue where, if we failed to parse the last token, we could have stream_.Offset() at the end of the parse never advancing past the initial lookahead offset, causing an integer overflow. Fixed: 340702955 Fixed: 340919085 Change-Id: I5d9814f87536e8cc7dc6742a39f22abd83c40d85 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5543881 Auto-Submit: Steinar H Gunderson <sesse@chromium.org> Reviewed-by: Anders Hartvoll Ruud <andruud@chromium.org> Commit-Queue: Steinar H Gunderson <sesse@chromium.org> Cr-Commit-Position: refs/heads/main@{#1301864}
ziransun · May 16, 2024 · 077700f · 077700f
1 parent 16e8b1b
commit 077700f
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/css/css-values/premature-comment-crash.html b/css/css-values/premature-comment-crash.html
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>CSS value parser: Crash if comment ends prematurely</title>
+    <link rel="help" href="https://crbug.com/340919085">
+    <style>#a{color:/*}</style>
+  </head>
+  <body>
+    <p>Test passes if it does not crash.</p>
+  </body>
+</html>