Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 33a3d65c563bda6fa15da4d0fffbe49b5ecd8aa6
https://github.com/WebKit/WebKit/commit/33a3d65c563bda6fa15da4d0fffbe49b5ecd8aa6
Author: Alan Baradlay <[email protected]>
Date: 2024-07-15 (Mon, 15 Jul 2024)
Changed paths:
M
Source/WebCore/layout/formattingContexts/inline/display/InlineDisplayLineBuilder.cpp
Log Message:
-----------
Crash in InlineDisplayLineBuilder::addLineClampTrailingLinkBoxIfApplicable
https://bugs.webkit.org/show_bug.cgi?id=276598
<rdar://129747945>
Reviewed by Antti Koivisto.
Speculative fix to address overflow crash in
addLineClampTrailingLinkBoxIfApplicable.
Normally insertion point for the [more info] content is somewhere in the middle
of the display box list.
e.g.
0 1 2 3 4 5 6 -> number of display boxes
0 1 2 3 4 [5 6] -> where [ ] is <a>more info</a> trailing display boxes
0 1 (2) 3 4 [5 6] -> where () is the insertion point (root inline box right
after the clamped line)
[more info] content is inserted right here by removing it first from the list
0 1 (2) 3 4
followed by checking if the clamped line has a trailing forced line break
(insertion point -1)
0 {1} (2) 3 4 -> where {} is the trailing display box on the clamped line
and inserting [more info] right after the clamped content (still on the
clamped line)
0 {1} [5 6] (2) 3 4
now if we incorrectly compute the insertion point as the trailing box
0 1 2 3 4 [{5} (6)]
after removing the trailing [more info] content
0 1 2 3 4
the trailing box check would fail (de-referencing [{5}])
*
Source/WebCore/layout/formattingContexts/inline/display/InlineDisplayLineBuilder.cpp:
(WebCore::Layout::InlineDisplayLineBuilder::addLineClampTrailingLinkBoxIfApplicable):
Canonical link: https://commits.webkit.org/280974@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
