Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: b4a7610d247da5708adc0e6c2b45feddc61d47aa
https://github.com/WebKit/WebKit/commit/b4a7610d247da5708adc0e6c2b45feddc61d47aa
Author: Chris Dumez <[email protected]>
Date: 2026-06-13 (Sat, 13 Jun 2026)
Changed paths:
M Source/WebCore/css/parser/CSSParserTokenRange.cpp
Log Message:
-----------
CSSParserTokenRange::consumeLast() ignores its empty-range guard
https://bugs.webkit.org/show_bug.cgi?id=316960
Reviewed by Darin Adler.
The empty-range guard in consumeLast() was missing a `return`, so the
result of eofToken() was discarded and control fell through to
WTF::consumeLast(m_tokens). On an empty span that calls span::back()
(forming an out-of-bounds pointer, likely crashing) and
span::first(size() - 1) with size() - 1 == SIZE_MAX (corrupting the
span length), instead of returning the EOF sentinel. Add the missing
`return` so the method honors the same EOF contract as consume() in the
header.
No test case is added because the buggy path is not reachable through
normal CSS parsing: the only in-tree caller of consumeLast()
(consumeTrailingImportantAndWhitespace() in CSSParser.cpp) trims
trailing whitespace and guards with range.size() < 2 before calling it,
so the range is never empty at the call site. There is no CSS input
that drives consumeLast() onto an empty range, hence no observable
behavior a layout or API test could assert against. This is a latent
defect fixed to make the method honor its documented EOF contract for
any future caller.
* Source/WebCore/css/parser/CSSParserTokenRange.cpp:
(WebCore::CSSParserTokenRange::consumeLast):
Canonical link: https://commits.webkit.org/315179@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
