Title: [250270] branches/safari-608-branch/Source/WebKit
- Revision
- 250270
- Author
- alanc...@apple.com
- Date
- 2019-09-23 17:13:22 -0700 (Mon, 23 Sep 2019)
Log Message
Cherry-pick r250108. rdar://problem/55608024
macCatalyst apps crash under TextCheckingControllerProxy::replaceRelativeToSelection when spell checking
https://bugs.webkit.org/show_bug.cgi?id=202010
<rdar://problem/54974971>
Reviewed by Beth Dakin.
* WebProcess/WebPage/Cocoa/TextCheckingControllerProxy.mm:
(WebKit::TextCheckingControllerProxy::replaceRelativeToSelection):
relativeReplacementRange is in the coordinate space of the document's text,
not the replacement string. We need to adjust into replacement string
coordinates before slicing the replacement, or we'll throw an exception
trying to read past the end of the string, in the case where the
replacement string is shorter than the replaced string (by more than 2 characters).
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@250108 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-608-branch/Source/WebKit/ChangeLog (250269 => 250270)
--- branches/safari-608-branch/Source/WebKit/ChangeLog 2019-09-24 00:13:20 UTC (rev 250269)
+++ branches/safari-608-branch/Source/WebKit/ChangeLog 2019-09-24 00:13:22 UTC (rev 250270)
@@ -1,5 +1,42 @@
2019-09-23 Alan Coon <alanc...@apple.com>
+ Cherry-pick r250108. rdar://problem/55608024
+
+ macCatalyst apps crash under TextCheckingControllerProxy::replaceRelativeToSelection when spell checking
+ https://bugs.webkit.org/show_bug.cgi?id=202010
+ <rdar://problem/54974971>
+
+ Reviewed by Beth Dakin.
+
+ * WebProcess/WebPage/Cocoa/TextCheckingControllerProxy.mm:
+ (WebKit::TextCheckingControllerProxy::replaceRelativeToSelection):
+ relativeReplacementRange is in the coordinate space of the document's text,
+ not the replacement string. We need to adjust into replacement string
+ coordinates before slicing the replacement, or we'll throw an exception
+ trying to read past the end of the string, in the case where the
+ replacement string is shorter than the replaced string (by more than 2 characters).
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@250108 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-09-19 Tim Horton <timothy_hor...@apple.com>
+
+ macCatalyst apps crash under TextCheckingControllerProxy::replaceRelativeToSelection when spell checking
+ https://bugs.webkit.org/show_bug.cgi?id=202010
+ <rdar://problem/54974971>
+
+ Reviewed by Beth Dakin.
+
+ * WebProcess/WebPage/Cocoa/TextCheckingControllerProxy.mm:
+ (WebKit::TextCheckingControllerProxy::replaceRelativeToSelection):
+ relativeReplacementRange is in the coordinate space of the document's text,
+ not the replacement string. We need to adjust into replacement string
+ coordinates before slicing the replacement, or we'll throw an exception
+ trying to read past the end of the string, in the case where the
+ replacement string is shorter than the replaced string (by more than 2 characters).
+
+2019-09-23 Alan Coon <alanc...@apple.com>
+
Cherry-pick r250069. rdar://problem/55524981
Eagerly create and add the m_layerHostingView to WKWebView.
Modified: branches/safari-608-branch/Source/WebKit/WebProcess/WebPage/Cocoa/TextCheckingControllerProxy.mm (250269 => 250270)
--- branches/safari-608-branch/Source/WebKit/WebProcess/WebPage/Cocoa/TextCheckingControllerProxy.mm 2019-09-24 00:13:20 UTC (rev 250269)
+++ branches/safari-608-branch/Source/WebKit/WebProcess/WebPage/Cocoa/TextCheckingControllerProxy.mm 2019-09-24 00:13:22 UTC (rev 250270)
@@ -113,7 +113,7 @@
auto replacementRange = rangeAndOffsetOfReplacement->range;
if (replacementRange) {
bool restoreSelection = frameSelection.selection().isRange();
- frame.editor().replaceRangeForSpellChecking(*replacementRange, [[annotatedString.string string] substringWithRange:NSMakeRange(relativeReplacementLocation, relativeReplacementLength)]);
+ frame.editor().replaceRangeForSpellChecking(*replacementRange, [[annotatedString.string string] substringWithRange:NSMakeRange(relativeReplacementLocation, relativeReplacementLength + [annotatedString.string length] - length)]);
size_t selectionLocationToRestore = locationInRoot - selectionOffset;
if (restoreSelection && selectionLocationToRestore > locationInRoot + relativeReplacementLocation + relativeReplacementLength) {
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
