Skip to site navigation (Press enter)

[webkit-changes] [276940] trunk/Source/WebCore

commit-queue Mon, 03 May 2021 18:12:57 -0700

Title: [276940] trunk/Source/WebCore

Revision: 276940
Author: [email protected]
Date: 2021-05-03 18:12:16 -0700 (Mon, 03 May 2021)

Log Message

Crash in WebCore::nextBoundary()
https://bugs.webkit.org/show_bug.cgi?id=225326


Patch by Julian Gonzalez <[email protected]> on 2021-05-03
Reviewed by Ryosuke Niwa.

nextBoundary() creates a CharacterIterator and calls range() on it
without first checking if atEnd() has been reached, which can lead
to a null pointer dereference.

* editing/VisibleUnits.cpp:
(WebCore::nextBoundary):

Modified Paths

trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/VisibleUnits.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (276939 => 276940)


--- trunk/Source/WebCore/ChangeLog	2021-05-04 01:02:59 UTC (rev 276939)
+++ trunk/Source/WebCore/ChangeLog	2021-05-04 01:12:16 UTC (rev 276940)
@@ -1,3 +1,17 @@
+2021-05-03  Julian Gonzalez  <[email protected]>
+
+        Crash in WebCore::nextBoundary()
+        https://bugs.webkit.org/show_bug.cgi?id=225326
+
+        Reviewed by Ryosuke Niwa.
+
+        nextBoundary() creates a CharacterIterator and calls range() on it
+        without first checking if atEnd() has been reached, which can lead
+        to a null pointer dereference.
+
+        * editing/VisibleUnits.cpp:
+        (WebCore::nextBoundary):
+
 2021-05-03  Alex Christensen  <[email protected]>
 
         WKWebView: WKURLSchemeHandler request don't have Range headers for custom scheme videos

Modified: trunk/Source/WebCore/editing/VisibleUnits.cpp (276939 => 276940)


--- trunk/Source/WebCore/editing/VisibleUnits.cpp	2021-05-04 01:02:59 UTC (rev 276939)
+++ trunk/Source/WebCore/editing/VisibleUnits.cpp	2021-05-04 01:12:16 UTC (rev 276940)
@@ -610,6 +610,9 @@
         // Use the character iterator to translate the next value into a DOM position.
         CharacterIterator charIt(*searchRange, TextIteratorEmitsCharactersBetweenAllVisiblePositions);
         charIt.advance(next - prefixLength - 1);
+        if (charIt.atEnd())
+            return { };
+
         auto characterRange = charIt.range();
         pos = makeDeprecatedLegacyPosition(characterRange.end);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes