Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 03015890a6a276e1836e96bded758609ac1cd501
https://github.com/WebKit/WebKit/commit/03015890a6a276e1836e96bded758609ac1cd501
Author: David Kilzer <[email protected]>
Date: 2026-06-15 (Mon, 15 Jun 2026)
Changed paths:
M LayoutTests/editing/text-iterator/findString-expected.txt
M LayoutTests/editing/text-iterator/findString.html
M Source/WebCore/editing/ICUSearcher.cpp
Log Message:
-----------
REGRESSION (311049@main): Clamp the word-boundary search index to the context
buffer length in isWordStartMatch()
<https://bugs.webkit.org/show_bug.cgi?id=317083>
<rdar://179591659>
Reviewed by Cole Carley.
In `isWordStartMatch()`, the buffer is first trimmed to a context window
by `extractSubspanIncludingContextNeededForDictionaryBasedWordBreak()`,
which can return a span shorter than the original match range when the
trailing characters do not require dictionary context. The full-buffer
invariant `start + length <= buffer.size()` does not carry over to the
trimmed span, so `adjustedStart + length` can exceed `contextBuffer`'s
length and be passed to `findNextWordFromIndex()` as a starting index
beyond the end of the string it builds, reading out of bounds.
Clamp the starting index to `contextBuffer.size()` before the search.
The clamp never drops below `adjustedStart` because the trimmed span
always includes `start`, so the search loop's termination is preserved.
Test: editing/text-iterator/findString.html
* LayoutTests/editing/text-iterator/findString.html:
- Add an AtWordStarts test case whose match starts in a complex-context
(Thai) run but extends past it, exercising the trimmed-window path.
* LayoutTests/editing/text-iterator/findString-expected.txt:
- Update results.
* Source/WebCore/editing/ICUSearcher.cpp:
(WebCore::isWordStartMatch):
Canonical link: https://commits.webkit.org/315233@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
