Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 5b2b4fad4b780828737701c58ae521158bda8e96
https://github.com/WebKit/WebKit/commit/5b2b4fad4b780828737701c58ae521158bda8e96
Author: Yulun Wu <[email protected]>
Date: 2025-06-13 (Fri, 13 Jun 2025)
Changed paths:
M
Source/WebCore/layout/formattingContexts/inline/InlineContentConstrainer.cpp
Log Message:
-----------
[Text-Wrap-Style] Mitigate a crash caused by a cycle in
text-wrap-style:pretty.
https://bugs.webkit.org/show_bug.cgi?id=294358
<rdar://153030733>
Reviewed by Alan Baradlay.
This PR mitigates a crash seen in the InlineContentConstrainer where
Vector<LayoutUnit> widths overflows when expanding capacity and crashes.
These changes are speculative as I have not been able to reproduce this.
This crash is caused by a bug in our state tracker that creates a cycle.
This causes our breakpoint backtracking to infinitely loop, resulting in
a buffer overflow when we try to reserve more capacity.
This PR mitigates this issue in a few ways.
The most important mitigation is that we now assert that breakIndex
decreases each step of the backtrack. When this assert fails,
we fall back to auto greedy line wrapping. This should patch the customer
experience while allowing debug builds/fuzzers to reproduce the bug.
Additionally, this PR adds an assertion that breakIndex > StartIndex
and breakIndex > firstStartIndex, as well as makes some changes to the
initial state and search space pruning step to comply with these assertions.
Combined changes:
* Source/WebCore/layout/formattingContexts/inline/InlineContentConstrainer.cpp:
(WebCore::Layout::InlineContentConstrainer::prettifyRange):
Canonical link: https://commits.webkit.org/296200@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
