[webkit-changes] [295730] trunk/Source/WebCore/editing/cocoa/DataDetection.mm

Wed, 22 Jun 2022 08:17:14 -0700

Title: [295730] trunk/Source/WebCore/editing/cocoa/DataDetection.mm
Revision
295730
Author
[email protected]
Date
2022-06-22 08:16:08 -0700 (Wed, 22 Jun 2022)

Log Message

Crash under WebCore::DataDetection::detectContentInRange()
https://bugs.webkit.org/show_bug.cgi?id=241823
<rdar://95110928>

Reviewed by Wenson Hsieh.

The crash occurs in the wild when calling TextIterator::range() and
TextIterator::m_positionNode is null. Do some hardening and early return before
calling TextIterator::range() and TextIterator::atEnd() returns true to avoid
the issue.

* Source/WebCore/editing/cocoa/DataDetection.mm:
(WebCore::DataDetection::detectContentInRange):

Canonical link: https://commits.webkit.org/251735@main

Modified Paths

Diff

Modified: trunk/Source/WebCore/editing/cocoa/DataDetection.mm (295729 => 295730)


--- trunk/Source/WebCore/editing/cocoa/DataDetection.mm	2022-06-22 13:40:19 UTC (rev 295729)
+++ trunk/Source/WebCore/editing/cocoa/DataDetection.mm	2022-06-22 15:16:08 UTC (rev 295730)
@@ -498,8 +498,12 @@
         for (auto& result : allResults) {
             DDQueryRange queryRange = PAL::softLink_DataDetectorsCore_DDResultGetQueryRangeForURLification(result.get());
             CFIndex iteratorTargetAdvanceCount = (CFIndex)PAL::softLink_DataDetectorsCore_DDScanQueryGetFragmentMetaData(scanQuery.get(), queryRange.start.queryIndex);
-            for (; iteratorCount < iteratorTargetAdvanceCount; ++iteratorCount)
+            for (; iteratorCount < iteratorTargetAdvanceCount && !iterator.atEnd(); ++iteratorCount)
                 iterator.advance();
+            if (iterator.atEnd()) {
+                ASSERT_NOT_REACHED();
+                return nil;
+            }
 
             Vector<SimpleRange> fragmentRanges;
             CFIndex fragmentIndex = queryRange.start.queryIndex;
@@ -517,8 +521,12 @@
             while (fragmentIndex < queryRange.end.queryIndex) {
                 ++fragmentIndex;
                 iteratorTargetAdvanceCount = (CFIndex)PAL::softLink_DataDetectorsCore_DDScanQueryGetFragmentMetaData(scanQuery.get(), fragmentIndex);
-                for (; iteratorCount < iteratorTargetAdvanceCount; ++iteratorCount)
+                for (; iteratorCount < iteratorTargetAdvanceCount && !iterator.atEnd(); ++iteratorCount)
                     iterator.advance();
+                if (iterator.atEnd()) {
+                    ASSERT_NOT_REACHED();
+                    return nil;
+                }
 
                 auto fragmentRange = iterator.range();
                 if (fragmentIndex == queryRange.end.queryIndex)

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to