From aedc4c3e3792482dedfa8c00e6aaf8284844c546 Mon Sep 17 00:00:00 2001
From: Miciah Dashiel Butler Masters <miciah.masters@gmail.com>
Date: Thu, 25 Dec 2008 07:16:02 +0000
Subject: [PATCH] CSS: do not fail assertion on "url( )"

A style-sheet containing the string "url( )" with 1 or more characters of
whitespace in between the parentheses triggered an assertion failure in
scan_css_token.

scan_css_token would find the left parenthesis, find the right parenthesis,
and then scan forwards from the left parenthesis for a non-whitespace
character to find the start of the URL and backwards from the right
parenthesis to find the end of the URL.  If there were whitespace and
nothing else, the start would be past the end, the routine would compute a
negative length for the URL, and then the routine would trigger an
assertion failure.  Now the routine simply enforces a lower bound of length
0 for the URL.
---
 src/document/css/scanner.c | 11 +++++++++--
 src/dom/css/scanner.c      | 11 +++++++++--
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/src/document/css/scanner.c b/src/document/css/scanner.c
index fd9057e6f..00497b577 100644
--- a/src/document/css/scanner.c
+++ b/src/document/css/scanner.c
@@ -203,8 +203,15 @@ scan_css_token(struct scanner *scanner, struct scanner_token *token)
 					if (isquote(*to)) to--;
 
 					token->string = from;
-					real_length = to - from + 1;
-					assert(real_length >= 0);
+					/* Given "url( )", @to and @from will
+					 * cross when they scan forwards and
+					 * backwards, respectively, for a non-
+					 * whitespace character, and @to - @from
+					 * will be negative.  If there is
+					 * anything between the parentheses,
+					 * @to and @from will not cross and @to
+					 * - @from will not become negative. */
+					real_length = int_max(0, to - from + 1);
 					string = function_end;
 				}
 
diff --git a/src/dom/css/scanner.c b/src/dom/css/scanner.c
index 7c73273d2..ac1eb9dae 100644
--- a/src/dom/css/scanner.c
+++ b/src/dom/css/scanner.c
@@ -206,8 +206,15 @@ scan_css_token(struct dom_scanner *scanner, struct dom_scanner_token *token)
 					if (isquote(*to)) to--;
 
 					token->string.string = from;
-					real_length = to - from + 1;
-					assert(real_length >= 0);
+					/* Given "url( )", @to and @from will
+					 * cross when they scan forwards and
+					 * backwards, respectively, for a non-
+					 * whitespace character, and @to - @from
+					 * will be negative.  If there is
+					 * anything between the parentheses,
+					 * @to and @from will not cross and @to
+					 * - @from will not become negative. */
+					real_length = int_max(0, to - from + 1);
 					string = function_end;
 				}