LibWeb: Prevent OOB access in HTMLEncodingDetection for input of '</'

Previously, this never checked if `position + 2` was valid. This slightly reorders the loop so all indices are checked. Fixes #22163
Author: https://github.com/MacDue Commit: 5e973fca0b Pull-request: https://github.com/SerenityOS/serenity/pull/22579 Issue: https://github.com/SerenityOS/serenity/issues/22163
2025-04-27 06:48:49 +00:00 · 2024-01-04 11:22:20 +00:00 · 2024-01-04 11:22:20 +00:00 · 5e973fca0b · 2024-07-16 23:38:54 +09:00
commit 5e973fca0b
parent 3f52d6045a
3 changed files with 17 additions and 4 deletions
--- a/Userland/Libraries/LibWeb/HTML/Parser/HTMLEncodingDetection.cpp
+++ b/Userland/Libraries/LibWeb/HTML/Parser/HTMLEncodingDetection.cpp
@ -321,12 +321,12 @@ Optional<ByteString> run_prescan_byte_stream_algorithm(DOM::Document& document,
            prescan_skip_whitespace_and_slashes(input, position);
            while (prescan_get_attribute(document, input, position)) { };
        } else if (!prescan_should_abort(input, position + 1) && input[position] == '<' && (input[position + 1] == '!' || input[position + 1] == '/' || input[position + 1] == '?')) {
-            position += 2;
-            while (input[position] != '>') {
-                ++position;
+            position += 1;
+            do {
+                position += 1;
                if (prescan_should_abort(input, position))
                    return {};
-            }
+            } while (input[position] != '>');
        } else {
            // Do nothing.
        }