Skip to site navigation (Press enter)

[webkit-changes] [121921] trunk

leandrogracia Thu, 05 Jul 2012 13:03:52 -0700

Title: [121921] trunk

Revision: 121921
Author: leandrogra...@chromium.org
Date: 2012-07-05 13:03:40 -0700 (Thu, 05 Jul 2012)

Log Message

Character iterators should not advance if they are at end
https://bugs.webkit.org/show_bug.cgi?id=90560


Reviewed by Ryosuke Niwa.

Source/WebCore:

CharacterIterator and BackwardsCharacterIterator try to advance their
internal TextIterator without checking if they already are at end.
This can cause crashes in TextIterator::advance.

Test: platform/chromium/editing/surrounding-text/surrounding-text.html

* editing/SurroundingText.cpp:
(WebCore::SurroundingText::SurroundingText):
* editing/TextIterator.cpp:
(WebCore::CharacterIterator::advance):
(WebCore::BackwardsCharacterIterator::advance):

LayoutTests:

Add a new test case where character iterators are already at end when
trying to advance. This was caught by Chromium's address sanitizer
here: http://code.google.com/p/chromium/issues/detail?id=135705

* platform/chromium/editing/surrounding-text/surrounding-text-expected.txt:
* platform/chromium/editing/surrounding-text/surrounding-text.html:

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/LayoutTests/platform/chromium/editing/surrounding-text/surrounding-text-expected.txt
trunk/LayoutTests/platform/chromium/editing/surrounding-text/surrounding-text.html
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/editing/SurroundingText.cpp
trunk/Source/WebCore/editing/TextIterator.cpp

Diff

Modified: trunk/LayoutTests/ChangeLog (121920 => 121921)


--- trunk/LayoutTests/ChangeLog	2012-07-05 19:57:22 UTC (rev 121920)
+++ trunk/LayoutTests/ChangeLog	2012-07-05 20:03:40 UTC (rev 121921)
@@ -1,3 +1,17 @@
+2012-07-05  Leandro Gracia Gil  <leandrogra...@chromium.org>
+
+        Character iterators should not advance if they are at end
+        https://bugs.webkit.org/show_bug.cgi?id=90560
+
+        Reviewed by Ryosuke Niwa.
+
+        Add a new test case where character iterators are already at end when
+        trying to advance. This was caught by Chromium's address sanitizer
+        here: http://code.google.com/p/chromium/issues/detail?id=135705
+
+        * platform/chromium/editing/surrounding-text/surrounding-text-expected.txt:
+        * platform/chromium/editing/surrounding-text/surrounding-text.html:
+
 2012-07-05  Alexey Proskuryakov  <a...@apple.com>
 
         [Mac][WK2] Enable HTTPS tests

Modified: trunk/LayoutTests/platform/chromium/editing/surrounding-text/surrounding-text-expected.txt (121920 => 121921)


--- trunk/LayoutTests/platform/chromium/editing/surrounding-text/surrounding-text-expected.txt	2012-07-05 19:57:22 UTC (rev 121920)
+++ trunk/LayoutTests/platform/chromium/editing/surrounding-text/surrounding-text-expected.txt	2012-07-05 20:03:40 UTC (rev 121921)
@@ -15,6 +15,7 @@
 PASS surroundingText('<button>.</button><div id="here">012345678901234567890123456789</div><button>.</button>', 15, 12) is "901234567890"
 PASS surroundingText('<option>.</option>12345<button id="here">test</button><option>.</option>', 0, 100) is ""
 PASS surroundingText('<option>.</option>12345<button>te<span id="here">st</span></button><option>.</option>', 0, 100) is ""
+PASS surroundingText('<p id="here">.', 0, 2) is "."
 PASS successfullyParsed is true
 
 TEST COMPLETE

Modified: trunk/LayoutTests/platform/chromium/editing/surrounding-text/surrounding-text.html (121920 => 121921)


--- trunk/LayoutTests/platform/chromium/editing/surrounding-text/surrounding-text.html	2012-07-05 19:57:22 UTC (rev 121920)
+++ trunk/LayoutTests/platform/chromium/editing/surrounding-text/surrounding-text.html	2012-07-05 20:03:40 UTC (rev 121921)
@@ -40,6 +40,7 @@
     shouldBeEqualToString('surroundingText(\'<button>.</button><div id="here">012345678901234567890123456789</div><button>.</button>\', 15, 12)', '901234567890');
     shouldBeEqualToString('surroundingText(\'<option>.</option>12345<button id="here">test</button><option>.</option>\', 0, 100)', '');
     shouldBeEqualToString('surroundingText(\'<option>.</option>12345<button>te<span id="here">st</span></button><option>.</option>\', 0, 100)', '');
+    shouldBeEqualToString('surroundingText(\'<p id="here">.\', 0, 2)', '.');
 
     document.body.removeChild(document.getElementById('test'));
     finishJSTest();

Modified: trunk/Source/WebCore/ChangeLog (121920 => 121921)


--- trunk/Source/WebCore/ChangeLog	2012-07-05 19:57:22 UTC (rev 121920)
+++ trunk/Source/WebCore/ChangeLog	2012-07-05 20:03:40 UTC (rev 121921)
@@ -1,3 +1,22 @@
+2012-07-05  Leandro Gracia Gil  <leandrogra...@chromium.org>
+
+        Character iterators should not advance if they are at end
+        https://bugs.webkit.org/show_bug.cgi?id=90560
+
+        Reviewed by Ryosuke Niwa.
+
+        CharacterIterator and BackwardsCharacterIterator try to advance their
+        internal TextIterator without checking if they already are at end.
+        This can cause crashes in TextIterator::advance.
+
+        Test: platform/chromium/editing/surrounding-text/surrounding-text.html
+
+        * editing/SurroundingText.cpp:
+        (WebCore::SurroundingText::SurroundingText):
+        * editing/TextIterator.cpp:
+        (WebCore::CharacterIterator::advance):
+        (WebCore::BackwardsCharacterIterator::advance):
+
 2012-07-05  John Mellor  <joh...@chromium.org>
 
         Text Autosizing: Add basic framework

Modified: trunk/Source/WebCore/editing/SurroundingText.cpp (121920 => 121921)


--- trunk/Source/WebCore/editing/SurroundingText.cpp	2012-07-05 19:57:22 UTC (rev 121920)
+++ trunk/Source/WebCore/editing/SurroundingText.cpp	2012-07-05 20:03:40 UTC (rev 121921)
@@ -45,7 +45,8 @@
 {
     const unsigned halfMaxLength = maxLength / 2;
     CharacterIterator forwardIterator(makeRange(visiblePosition, endOfDocument(visiblePosition)).get(), TextIteratorStopsOnFormControls);
-    forwardIterator.advance(maxLength - halfMaxLength);
+    if (!forwardIterator.atEnd())
+        forwardIterator.advance(maxLength - halfMaxLength);
 
     Position position = visiblePosition.deepEquivalent().parentAnchoredEquivalent();
     Document* document = position.document();
@@ -53,7 +54,8 @@
         return;
 
     BackwardsCharacterIterator backwardsIterator(makeRange(startOfDocument(visiblePosition), visiblePosition).get(), TextIteratorStopsOnFormControls);
-    backwardsIterator.advance(halfMaxLength);
+    if (!backwardsIterator.atEnd())
+        backwardsIterator.advance(halfMaxLength);
 
     m_positionOffsetInContent = Range::create(document, backwardsIterator.range()->endPosition(), position)->text().length();
     m_contentRange = Range::create(document, backwardsIterator.range()->endPosition(), forwardIterator.range()->startPosition());

Modified: trunk/Source/WebCore/editing/TextIterator.cpp (121920 => 121921)


--- trunk/Source/WebCore/editing/TextIterator.cpp	2012-07-05 19:57:22 UTC (rev 121920)
+++ trunk/Source/WebCore/editing/TextIterator.cpp	2012-07-05 20:03:40 UTC (rev 121921)
@@ -1406,6 +1406,8 @@
 
 void CharacterIterator::advance(int count)
 {
+    ASSERT(!atEnd());
+
     if (count <= 0) {
         ASSERT(count == 0);
         return;
@@ -1514,6 +1516,8 @@
 
 void BackwardsCharacterIterator::advance(int count)
 {
+    ASSERT(!atEnd());
+
     if (count <= 0) {
         ASSERT(!count);
         return;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes