Changeset 121921 in webkit


Ignore:
Timestamp:
Jul 5, 2012 1:03:40 PM (12 years ago)
Author:
leandrogracia@chromium.org
Message:

Character iterators should not advance if they are at end
https://bugs.webkit.org/show_bug.cgi?id=90560

Reviewed by Ryosuke Niwa.

Source/WebCore:

CharacterIterator and BackwardsCharacterIterator try to advance their
internal TextIterator without checking if they already are at end.
This can cause crashes in TextIterator::advance.

Test: platform/chromium/editing/surrounding-text/surrounding-text.html

  • editing/SurroundingText.cpp:

(WebCore::SurroundingText::SurroundingText):

  • editing/TextIterator.cpp:

(WebCore::CharacterIterator::advance):
(WebCore::BackwardsCharacterIterator::advance):

LayoutTests:

Add a new test case where character iterators are already at end when
trying to advance. This was caught by Chromium's address sanitizer
here: http://code.google.com/p/chromium/issues/detail?id=135705

  • platform/chromium/editing/surrounding-text/surrounding-text-expected.txt:
  • platform/chromium/editing/surrounding-text/surrounding-text.html:
Location:
trunk
Files:
6 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r121913 r121921  
     12012-07-05  Leandro Gracia Gil  <leandrogracia@chromium.org>
     2
     3        Character iterators should not advance if they are at end
     4        https://bugs.webkit.org/show_bug.cgi?id=90560
     5
     6        Reviewed by Ryosuke Niwa.
     7
     8        Add a new test case where character iterators are already at end when
     9        trying to advance. This was caught by Chromium's address sanitizer
     10        here: http://code.google.com/p/chromium/issues/detail?id=135705
     11
     12        * platform/chromium/editing/surrounding-text/surrounding-text-expected.txt:
     13        * platform/chromium/editing/surrounding-text/surrounding-text.html:
     14
    1152012-07-05  Alexey Proskuryakov  <ap@apple.com>
    216

  • trunk/LayoutTests/platform/chromium/editing/surrounding-text/surrounding-text-expected.txt

    r121713 r121921  
    1616PASS surroundingText('<option>.</option>12345<button id="here">test</button><option>.</option>', 0, 100) is ""
    1717PASS surroundingText('<option>.</option>12345<button>te<span id="here">st</span></button><option>.</option>', 0, 100) is ""
     18PASS surroundingText('<p id="here">.', 0, 2) is "."
    1819PASS successfullyParsed is true
    1920

  • trunk/LayoutTests/platform/chromium/editing/surrounding-text/surrounding-text.html

    r121713 r121921  
    4141    shouldBeEqualToString('surroundingText(\'<option>.</option>12345<button id="here">test</button><option>.</option>\', 0, 100)', '');
    4242    shouldBeEqualToString('surroundingText(\'<option>.</option>12345<button>te<span id="here">st</span></button><option>.</option>\', 0, 100)', '');
     43    shouldBeEqualToString('surroundingText(\'<p id="here">.\', 0, 2)', '.');
    4344
    4445    document.body.removeChild(document.getElementById('test'));

  • trunk/Source/WebCore/ChangeLog

    r121920 r121921  
     12012-07-05  Leandro Gracia Gil  <leandrogracia@chromium.org>
     2
     3        Character iterators should not advance if they are at end
     4        https://bugs.webkit.org/show_bug.cgi?id=90560
     5
     6        Reviewed by Ryosuke Niwa.
     7
     8        CharacterIterator and BackwardsCharacterIterator try to advance their
     9        internal TextIterator without checking if they already are at end.
     10        This can cause crashes in TextIterator::advance.
     11
     12        Test: platform/chromium/editing/surrounding-text/surrounding-text.html
     13
     14        * editing/SurroundingText.cpp:
     15        (WebCore::SurroundingText::SurroundingText):
     16        * editing/TextIterator.cpp:
     17        (WebCore::CharacterIterator::advance):
     18        (WebCore::BackwardsCharacterIterator::advance):
     19
    1202012-07-05  John Mellor  <johnme@chromium.org>
    221

  • trunk/Source/WebCore/editing/SurroundingText.cpp

    r112389 r121921  
    4646    const unsigned halfMaxLength = maxLength / 2;
    4747    CharacterIterator forwardIterator(makeRange(visiblePosition, endOfDocument(visiblePosition)).get(), TextIteratorStopsOnFormControls);
    48     forwardIterator.advance(maxLength - halfMaxLength);
     48    if (!forwardIterator.atEnd())
     49        forwardIterator.advance(maxLength - halfMaxLength);
    4950
    5051    Position position = visiblePosition.deepEquivalent().parentAnchoredEquivalent();
     
    5455
    5556    BackwardsCharacterIterator backwardsIterator(makeRange(startOfDocument(visiblePosition), visiblePosition).get(), TextIteratorStopsOnFormControls);
    56     backwardsIterator.advance(halfMaxLength);
     57    if (!backwardsIterator.atEnd())
     58        backwardsIterator.advance(halfMaxLength);
    5759
    5860    m_positionOffsetInContent = Range::create(document, backwardsIterator.range()->endPosition(), position)->text().length();

  • trunk/Source/WebCore/editing/TextIterator.cpp

    r121123 r121921  
    14071407void CharacterIterator::advance(int count)
    14081408{
     1409    ASSERT(!atEnd());
     1410
    14091411    if (count <= 0) {
    14101412        ASSERT(count == 0);
     
    15151517void BackwardsCharacterIterator::advance(int count)
    15161518{
     1519    ASSERT(!atEnd());
     1520
    15171521    if (count <= 0) {
    15181522        ASSERT(!count);
Note: See TracChangeset for help on using the changeset viewer.