[webkit-changes] [275011] trunk/Source/WebKit

Wed, 24 Mar 2021 22:47:04 -0700

Title: [275011] trunk/Source/WebKit
Revision
275011
Author
[email protected]
Date
2021-03-24 22:46:13 -0700 (Wed, 24 Mar 2021)

Log Message

Crash in TextChecker::updateSpellingUIWithGrammarString()
https://bugs.webkit.org/show_bug.cgi?id=223716

Patch by Julian Gonzalez <[email protected]> on 2021-03-24
Reviewed by Ryosuke Niwa.

Prevent a crash by checking the GrammarDetail's range.

* UIProcess/mac/TextCheckerMac.mm:
(WebKit::TextChecker::updateSpellingUIWithGrammarString):

Modified Paths

Diff

Modified: trunk/Source/WebKit/ChangeLog (275010 => 275011)


--- trunk/Source/WebKit/ChangeLog	2021-03-25 05:38:29 UTC (rev 275010)
+++ trunk/Source/WebKit/ChangeLog	2021-03-25 05:46:13 UTC (rev 275011)
@@ -1,3 +1,15 @@
+2021-03-24  Julian Gonzalez  <[email protected]>
+
+        Crash in TextChecker::updateSpellingUIWithGrammarString()
+        https://bugs.webkit.org/show_bug.cgi?id=223716
+
+        Reviewed by Ryosuke Niwa.
+
+        Prevent a crash by checking the GrammarDetail's range.
+
+        * UIProcess/mac/TextCheckerMac.mm:
+        (WebKit::TextChecker::updateSpellingUIWithGrammarString):
+
 2021-03-24  Simon Fraser  <[email protected]>
 
         Add DisplayLink log channels in WebCore and WebKit

Modified: trunk/Source/WebKit/UIProcess/mac/TextCheckerMac.mm (275010 => 275011)


--- trunk/Source/WebKit/UIProcess/mac/TextCheckerMac.mm	2021-03-25 05:38:29 UTC (rev 275010)
+++ trunk/Source/WebKit/UIProcess/mac/TextCheckerMac.mm	2021-03-25 05:46:13 UTC (rev 275011)
@@ -31,6 +31,7 @@
 #import "TextCheckerState.h"
 #import <WebCore/NotImplemented.h>
 #import <pal/spi/mac/NSSpellCheckerSPI.h>
+#import <wtf/CheckedArithmetic.h>
 #import <wtf/NeverDestroyed.h>
 #import <wtf/RetainPtr.h>
 #import <wtf/cocoa/VectorCocoa.h>
@@ -436,6 +437,13 @@
 
 void TextChecker::updateSpellingUIWithGrammarString(SpellDocumentTag, const String& badGrammarPhrase, const GrammarDetail& grammarDetail)
 {
+    Checked<uint64_t, RecordOverflow> endOfRangeChecked = grammarDetail.range.location;
+    endOfRangeChecked += grammarDetail.range.length;
+
+    uint64_t endOfRange;
+    if (endOfRangeChecked.safeGet(endOfRange) == CheckedState::DidOverflow || endOfRange >= badGrammarPhrase.length())
+        return;
+
     NSDictionary *detail = @{
         NSGrammarRange : [NSValue valueWithRange:grammarDetail.range],
         NSGrammarUserDescription : grammarDetail.userDescription,

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to