CSS Processor: Fix consume_ident_start_codepoint bounds check (#219)

sirreal · web-flow · commit de13df1465d5 · 2026-03-12T16:11:33.000+01:00
Fixes out-of-bounds string offset access when the input string ends
while consuming an ident start.
diff --git a/components/DataLiberation/CSS/class-cssprocessor.php b/components/DataLiberation/CSS/class-cssprocessor.php
@@ -1500,7 +1500,7 @@ private function consume_ident_codepoint( $at ): int {
 	 * @return int The number of bytes consumed.
 	 */
 	private function consume_ident_start_codepoint( $at ): int {
-		if ( $at > $this->length ) {
+		if ( $at >= $this->length ) {
 			return 0;
 		}
 
diff --git a/components/DataLiberation/Tests/CSSProcessorTest.php b/components/DataLiberation/Tests/CSSProcessorTest.php
@@ -1530,5 +1530,15 @@ public function test_set_token_with_invalid_utf8_sequence(): void {
 		$this->assertSame( "background: url(\"\xC0.jpg\");", $updated );
 	}
 
-
+	/**
+	 * Test bounds check when consuming and ident start token.
+	 */
+	public function test_ident_start_codepoint_bounds_check(): void {
+		$processor     = CSSProcessor::create( '-' );
+		$actual_tokens = $this->collect_tokens( $processor, array( 'type', 'raw' ) );
+		$expected_tokens = array(
+			array( 'type' => CSSProcessor::TOKEN_DELIM, 'raw' => '-' ),
+		);
+		$this->assertSame( $expected_tokens, $actual_tokens );
+	}
 }

Original file line number	Diff line number	Diff line change
`@@ -1500,7 +1500,7 @@ private function consume_ident_codepoint( $at ): int {`
`1500`	`1500`	`* @return int The number of bytes consumed.`
`1501`	`1501`	`*/`
`1502`	`1502`	`private function consume_ident_start_codepoint( $at ): int {`
`1503`		`- if ( $at > $this->length ) {`
	`1503`	`+ if ( $at >= $this->length ) {`
`1504`	`1504`	`return 0;`
`1505`	`1505`	`}`
`1506`	`1506`