Title: [250108] trunk/Source/WebKit
- Revision
- 250108
- Author
- timothy_hor...@apple.com
- Date
- 2019-09-19 16:15:52 -0700 (Thu, 19 Sep 2019)
Log Message
macCatalyst apps crash under TextCheckingControllerProxy::replaceRelativeToSelection when spell checking
https://bugs.webkit.org/show_bug.cgi?id=202010
<rdar://problem/54974971>
Reviewed by Beth Dakin.
* WebProcess/WebPage/Cocoa/TextCheckingControllerProxy.mm:
(WebKit::TextCheckingControllerProxy::replaceRelativeToSelection):
relativeReplacementRange is in the coordinate space of the document's text,
not the replacement string. We need to adjust into replacement string
coordinates before slicing the replacement, or we'll throw an exception
trying to read past the end of the string, in the case where the
replacement string is shorter than the replaced string (by more than 2 characters).
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (250107 => 250108)
--- trunk/Source/WebKit/ChangeLog 2019-09-19 22:23:50 UTC (rev 250107)
+++ trunk/Source/WebKit/ChangeLog 2019-09-19 23:15:52 UTC (rev 250108)
@@ -1,3 +1,19 @@
+2019-09-19 Tim Horton <timothy_hor...@apple.com>
+
+ macCatalyst apps crash under TextCheckingControllerProxy::replaceRelativeToSelection when spell checking
+ https://bugs.webkit.org/show_bug.cgi?id=202010
+ <rdar://problem/54974971>
+
+ Reviewed by Beth Dakin.
+
+ * WebProcess/WebPage/Cocoa/TextCheckingControllerProxy.mm:
+ (WebKit::TextCheckingControllerProxy::replaceRelativeToSelection):
+ relativeReplacementRange is in the coordinate space of the document's text,
+ not the replacement string. We need to adjust into replacement string
+ coordinates before slicing the replacement, or we'll throw an exception
+ trying to read past the end of the string, in the case where the
+ replacement string is shorter than the replaced string (by more than 2 characters).
+
2019-09-19 Yury Semikhatsky <yu...@chromium.org>
WebStorageNamespaceProvider / StorageNamespaceImpl no longer need SessionIDs
Modified: trunk/Source/WebKit/WebProcess/WebPage/Cocoa/TextCheckingControllerProxy.mm (250107 => 250108)
--- trunk/Source/WebKit/WebProcess/WebPage/Cocoa/TextCheckingControllerProxy.mm 2019-09-19 22:23:50 UTC (rev 250107)
+++ trunk/Source/WebKit/WebProcess/WebPage/Cocoa/TextCheckingControllerProxy.mm 2019-09-19 23:15:52 UTC (rev 250108)
@@ -113,7 +113,7 @@
auto replacementRange = rangeAndOffsetOfReplacement->range;
if (replacementRange) {
bool restoreSelection = frameSelection.selection().isRange();
- frame.editor().replaceRangeForSpellChecking(*replacementRange, [[annotatedString.string string] substringWithRange:NSMakeRange(relativeReplacementLocation, relativeReplacementLength)]);
+ frame.editor().replaceRangeForSpellChecking(*replacementRange, [[annotatedString.string string] substringWithRange:NSMakeRange(relativeReplacementLocation, relativeReplacementLength + [annotatedString.string length] - length)]);
size_t selectionLocationToRestore = locationInRoot - selectionOffset;
if (restoreSelection && selectionLocationToRestore > locationInRoot + relativeReplacementLocation + relativeReplacementLength) {
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
