commit 6d6bd48: [Minor] Css: Fix OOB reading

[Vsevolod Stakhov]

Author: Vsevolod Stakhov
Date: 2021-05-10 20:32:12 +0100
URL: https://github.com/rspamd/rspamd/commit/6d6bd488d30014ff95b5e4714142637768c87241 (HEAD -> master)

[Minor] Css: Fix OOB reading

---
 src/libserver/css/css_parser.cxx    | 1 +
 src/libserver/css/css_tokeniser.cxx | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/libserver/css/css_parser.cxx b/src/libserver/css/css_parser.cxx
index 2af484043..9f93a7e25 100644
--- a/src/libserver/css/css_parser.cxx
+++ b/src/libserver/css/css_parser.cxx
@@ -836,6 +836,7 @@ TEST_SUITE("css parser") {
 			".chat-icon[_ng-cnj-c0]::before{content:url(group-2.63e87cd21fbf8c966dd.svg);width:60px;height:60px;display:block}",
 			"tt{color:#1e3482}",
 			"tt{unicode-range: u+0049-u+004a,u+0020;}",
+			"@import url(https://fonts.googleapis.com/css?family=arial:300,400,7000;",
 		};
 
 		rspamd_mempool_t *pool = rspamd_mempool_new(rspamd_mempool_suggest_size(),
diff --git a/src/libserver/css/css_tokeniser.cxx b/src/libserver/css/css_tokeniser.cxx
index 8d08eb7a2..d07b017a3 100644
--- a/src/libserver/css/css_tokeniser.cxx
+++ b/src/libserver/css/css_tokeniser.cxx
@@ -250,7 +250,7 @@ auto css_tokeniser::consume_ident(bool allow_number) -> struct css_parser_token
 				}
 
 				if (input.size() - offset > 3 && input.substr(offset, 3) == "url") {
-					if (input[j] == '"' || input[j] == '\'') {
+					if (j < input.size() && (input[j] == '"' || input[j] == '\'')) {
 						/* Function token */
 						auto ret = maybe_escape_sv(i,
 								css_parser_token::token_type::function_token);
@@ -262,7 +262,7 @@ auto css_tokeniser::consume_ident(bool allow_number) -> struct css_parser_token
 							j++;
 						}
 
-						if (input[j] == ')') {
+						if (j < input.size() && input[j] == ')') {
 							/* Valid url token */
 							auto ret = maybe_escape_sv(j + 1,
 									css_parser_token::token_type::url_token);