CSS Parser Panic

[alanhdu]

The following code

extern crate cssparser;
fn main() {
    let data: &[u8] = &[117, 114, 108, 40, 1, 92];
    if let Ok(str_) = std::str::from_utf8(data) {
        let mut parser_input = cssparser::ParserInput::new(str_);
        let mut parser = cssparser::Parser::new(&mut parser_input);
        while parser.next_including_whitespace_and_comments().is_ok() { }
    }
}

panics with

thread 'main' panicked at 'byte index 7 is out of bounds of `url(�\`'

Full stacktrace

thread 'main' panicked at 'byte index 7 is out of bounds of `url(�\`', /checkout/src/libcore/str/mod.rs:2133:8
stack backtrace:
   0: std::sys::imp::backtrace::tracing::imp::unwind_backtrace
             at /checkout/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:49
   1: std::sys_common::backtrace::_print
             at /checkout/src/libstd/sys_common/backtrace.rs:71
   2: std::panicking::default_hook::{{closure}}
             at /checkout/src/libstd/sys_common/backtrace.rs:60
             at /checkout/src/libstd/panicking.rs:380
   3: std::panicking::default_hook
             at /checkout/src/libstd/panicking.rs:396
   4: std::panicking::rust_panic_with_hook
             at /checkout/src/libstd/panicking.rs:611
   5: std::panicking::begin_panic_new
             at /checkout/src/libstd/panicking.rs:553
   6: std::panicking::begin_panic_fmt
             at /checkout/src/libstd/panicking.rs:521
   7: rust_begin_unwind
             at /checkout/src/libstd/panicking.rs:497
   8: core::panicking::panic_fmt
             at /checkout/src/libcore/panicking.rs:92
   9: core::str::slice_error_fail
             at /checkout/src/libcore/str/mod.rs:2133
  10: core::str::traits::<impl core::slice::SliceIndex<str> for core::ops::range::Range<usize>>::index::{{closure}}
             at /checkout/src/libcore/str/mod.rs:1808
  11: <core::option::Option<T>>::unwrap_or_else
             at /checkout/src/libcore/option.rs:370
  12: core::str::traits::<impl core::slice::SliceIndex<str> for core::ops::range::Range<usize>>::index
             at /checkout/src/libcore/str/mod.rs:1808
  13: core::str::traits::<impl core::ops::index::Index<core::ops::range::Range<usize>> for str>::index
             at /checkout/src/libcore/str/mod.rs:1582
  14: cssparser::tokenizer::Tokenizer::slice_from
             at ./target/debug/build/cssparser-7b41128d7ce59adc/out/tokenizer.rs:140
  15: cssparser::tokenizer::consume_unquoted_url::consume_bad_url
             at ./target/debug/build/cssparser-7b41128d7ce59adc/out/tokenizer.rs:659
  16: cssparser::tokenizer::consume_unquoted_url::consume_unquoted_url_internal
             at ./target/debug/build/cssparser-7b41128d7ce59adc/out/tokenizer.rs:593
  17: cssparser::tokenizer::consume_unquoted_url
             at ./target/debug/build/cssparser-7b41128d7ce59adc/out/tokenizer.rs:576
  18: cssparser::tokenizer::consume_ident_like
             at ./target/debug/build/cssparser-7b41128d7ce59adc/out/tokenizer.rs:435
  19: cssparser::tokenizer::next_token
             at ./target/debug/build/cssparser-7b41128d7ce59adc/out/tokenizer.rs:291
  20: cssparser::tokenizer::Tokenizer::next
             at ./target/debug/build/cssparser-7b41128d7ce59adc/out/tokenizer.rs:134
  21: cssparser::parser::Parser::next_including_whitespace_and_comments
             at /home/alan/.cargo/git/checkouts/rust-cssparser-05258a075faa869a/efcfb37/src/parser.rs:387
  22: scratch::main
             at src/main.rs:10
  23: __rust_maybe_catch_panic
             at /checkout/src/libpanic_unwind/lib.rs:98
  24: std::rt::lang_start
             at /checkout/src/libstd/panicking.rs:458
             at /checkout/src/libstd/panic.rs:361
             at /checkout/src/libstd/rt.rs:59
  25: main
  26: __libc_start_main
  27: _start

Found via fuzzing

[emilio]

https://bugzilla.mozilla.org/show_bug.cgi?id=1383975 Is likely related.

[SimonSapin]

Thanks for the report and test case! https://crates.io/crates/cssparser/0.18.1 should fix this.