Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 8dd4f788a5958cfebb8d7032576054efa9ed21a3
https://github.com/WebKit/WebKit/commit/8dd4f788a5958cfebb8d7032576054efa9ed21a3
Author: Yulun Wu <[email protected]>
Date: 2026-04-21 (Tue, 21 Apr 2026)
Changed paths:
A
LayoutTests/fast/css3-text/css3-text-wrap/text-wrap-pretty-line-break-crash-6-expected.txt
A
LayoutTests/fast/css3-text/css3-text-wrap/text-wrap-pretty-line-break-crash-6.html
M
Source/WebCore/layout/formattingContexts/inline/InlineContentConstrainer.cpp
Log Message:
-----------
[text-wrap] Fix crash in text-wrap-pretty due to index type confusion
https://bugs.webkit.org/show_bug.cgi?id=306377
<rdar://168927397>
Reviewed by Alan Baradlay.
The text-wrap-pretty algorithm was storing indices into the breakOpportunities
array in InlineItemPosition::index, but this field expects inline item indices.
This type confusion caused out-of-bounds access when hyphenation created
additional breaks.
This patch fixes the crash by:
1. Storing actual inline item indices (breakOpportunities[i]) instead of
breakOpportunities
array indices in state[].lineEnd
2. Adding bounds checking before accessing m_inlineItemList
3. Fixing unsigned integer underflow in hasEnoughItemsForNextLine check by
rewriting the comparison to use addition instead of subtraction
*
LayoutTests/fast/css3-text/css3-text-wrap/text-wrap-pretty-line-break-crash-6-expected.txt:
Added.
*
LayoutTests/fast/css3-text/css3-text-wrap/text-wrap-pretty-line-break-crash-6.html:
Added.
* Source/WebCore/layout/formattingContexts/inline/InlineContentConstrainer.cpp:
(WebCore::Layout::InlineContentConstrainer::layoutSingleLineForPretty):
(WebCore::Layout::InlineContentConstrainer::prettifyRange):
Originally-landed-as: 305413.232@safari-7624-branch (551e424600a5).
rdar://173968920
Canonical link: https://commits.webkit.org/311743@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
