From 9c396301db299f060e17623f03ac09c11a965ce4 Mon Sep 17 00:00:00 2001
From: Gingeh <39150378+Gingeh@users.noreply.github.com>
Date: Tue, 5 Nov 2024 21:57:25 +1100
Subject: [PATCH] LibWeb: Use substrings instead of pointers when parsing
 unicode ranges

Fixes a segfault when parsing a wildcard-only unicode range

(cherry picked from commit a4b38dda5611e87987c855de8a6e06aa0351bd1b)
---
 .../Text/expected/css/unicode-range-all-wildcard.txt  |  1 +
 .../Text/input/css/unicode-range-all-wildcard.html    | 11 +++++++++++
 Userland/Libraries/LibWeb/CSS/Parser/Parser.cpp       |  3 ++-
 3 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 Tests/LibWeb/Text/expected/css/unicode-range-all-wildcard.txt
 create mode 100644 Tests/LibWeb/Text/input/css/unicode-range-all-wildcard.html

diff --git a/Tests/LibWeb/Text/expected/css/unicode-range-all-wildcard.txt b/Tests/LibWeb/Text/expected/css/unicode-range-all-wildcard.txt
new file mode 100644
index 00000000000000..aaecaf93c4a5b5
--- /dev/null
+++ b/Tests/LibWeb/Text/expected/css/unicode-range-all-wildcard.txt
@@ -0,0 +1 @@
+PASS (didn't crash)
diff --git a/Tests/LibWeb/Text/input/css/unicode-range-all-wildcard.html b/Tests/LibWeb/Text/input/css/unicode-range-all-wildcard.html
new file mode 100644
index 00000000000000..5ea5fd4aabbc93
--- /dev/null
+++ b/Tests/LibWeb/Text/input/css/unicode-range-all-wildcard.html
@@ -0,0 +1,11 @@
+<style>
+    @font-face {
+        unicode-range: U+??;
+    }
+</style>
+<script src="../include.js"></script>
+<script>
+    test(() => {
+        println("PASS (didn't crash)");
+    });
+</script>
diff --git a/Userland/Libraries/LibWeb/CSS/Parser/Parser.cpp b/Userland/Libraries/LibWeb/CSS/Parser/Parser.cpp
index ce49fce50d5dd4..ae392412bc62cc 100644
--- a/Userland/Libraries/LibWeb/CSS/Parser/Parser.cpp
+++ b/Userland/Libraries/LibWeb/CSS/Parser/Parser.cpp
@@ -2413,6 +2413,7 @@ Optional<Gfx::UnicodeRange> Parser::parse_unicode_range(StringView text)
 
     // 3. Consume as many hex digits from text as possible.
     //    then consume as many U+003F QUESTION MARK (?) code points as possible.
+    auto start_position = lexer.tell();
     auto hex_digits = lexer.consume_while(is_ascii_hex_digit);
     auto question_marks = lexer.consume_while([](auto it) { return it == '?'; });
     //    If zero code points were consumed, or more than six code points were consumed,
@@ -2422,7 +2423,7 @@ Optional<Gfx::UnicodeRange> Parser::parse_unicode_range(StringView text)
         dbgln_if(CSS_PARSER_DEBUG, "CSSParser: <urange> start value had {} digits/?s, expected between 1 and 6.", consumed_code_points);
         return {};
     }
-    StringView start_value_code_points { hex_digits.characters_without_null_termination(), consumed_code_points };
+    StringView start_value_code_points = text.substring_view(start_position, consumed_code_points);
 
     //    If any U+003F QUESTION MARK (?) code points were consumed, then:
     if (question_marks.length() > 0) {