From 7aa8302d18a686e196f9e9386c047c611b023feb Mon Sep 17 00:00:00 2001
From: Henri Sivonen <hsivonen@iki.fi>
Date: Fri, 17 Apr 2009 18:55:09 +0300
Subject: [PATCH] Bug 488854 - In HTML5 parser Insert REPLACEMENT CHARACTER
 gracefully when Unicode converter returns failure

---
 content/html/parser/src/nsHtml5Parser.cpp | 25 ++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

diff --git a/content/html/parser/src/nsHtml5Parser.cpp b/content/html/parser/src/nsHtml5Parser.cpp
index c2c86257fdfe..f6f1ea7170bb 100644
--- a/content/html/parser/src/nsHtml5Parser.cpp
+++ b/content/html/parser/src/nsHtml5Parser.cpp
@@ -1133,17 +1133,32 @@ nsHtml5Parser::WriteStreamBytes(const PRUint8* aFromSegment,
     PRInt32 byteCount = aCount - totalByteCount;
     PRInt32 utf16Count = NS_HTML5_PARSER_READ_BUFFER_SIZE - end;
 
+    NS_ASSERTION(utf16Count, "Trying to convert into a buffer with no free space!");
+
     nsresult convResult = mUnicodeDecoder->Convert((const char*)aFromSegment, &byteCount, mLastBuffer->getBuffer() + end, &utf16Count);  
-  
+
     mLastBuffer->setEnd(end + utf16Count);
     totalByteCount += byteCount;
     aFromSegment += byteCount;
-    
+
     NS_ASSERTION((mLastBuffer->getEnd() <= NS_HTML5_PARSER_READ_BUFFER_SIZE), "The Unicode decoder wrote too much data.");
-  
-    if (convResult == NS_PARTIAL_MORE_OUTPUT) {
+
+    if (NS_FAILED(convResult)) {
+      ++totalByteCount;
+      ++aFromSegment;
+      mLastBuffer->getBuffer()[end] = 0xFFFD;
+      mLastBuffer->setEnd(end + 1);
+      if (mLastBuffer->getEnd() == NS_HTML5_PARSER_READ_BUFFER_SIZE) {
+          mLastBuffer = (mLastBuffer->next = new nsHtml5UTF16Buffer(NS_HTML5_PARSER_READ_BUFFER_SIZE));
+      }
+      mUnicodeDecoder->Reset();
+      if (totalByteCount == aCount) {
+        *aWriteCount = totalByteCount;
+        return NS_OK;            
+      }
+    } else if (convResult == NS_PARTIAL_MORE_OUTPUT) {
       mLastBuffer = (mLastBuffer->next = new nsHtml5UTF16Buffer(NS_HTML5_PARSER_READ_BUFFER_SIZE));
-      NS_ASSERTION(((PRUint32)totalByteCount < aCount), "The Unicode has consumed too many bytes.");
+      NS_ASSERTION(((PRUint32)totalByteCount < aCount), "The Unicode decoder has consumed too many bytes.");
     } else {
       NS_ASSERTION(((PRUint32)totalByteCount == aCount), "The Unicode decoder consumed the wrong number of bytes.");
       *aWriteCount = totalByteCount;