Kent Tamura (Gerrit)

unread,

3:43 AM (8 hours ago) 3:43 AM

to Kent Tamura, Fredrik Söderquist, chromiu...@luci-project-accounts.iam.gserviceaccount.com, chromium...@chromium.org, blink-...@chromium.org

Attention needed from Fredrik Söderquist

Kent Tamura voted and added 1 comment

Votes added by Kent Tamura

Auto-Submit	+1
Commit-Queue	+1

1 comment

Patchset-level comments

File-level comment, Patchset 3 (Latest):

Kent Tamura . resolved

fs@, would you review this please?

Open in Gerrit

Related details

Attention is currently required from:

Fredrik Söderquist

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Fredrik Söderquist (Gerrit)

unread,

4:37 AM (7 hours ago) 4:37 AM

to Kent Tamura, chromiu...@luci-project-accounts.iam.gserviceaccount.com, chromium...@chromium.org, blink-...@chromium.org

Attention needed from Kent Tamura

Fredrik Söderquist voted

Code-Review	+1
Commit-Queue	+2

Open in Gerrit

Related details

Attention is currently required from:

Kent Tamura

Submit Requirements:

Code-Coverage
Code-Owners

Code-Review
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

open

diffy

chromium-scoped@luci-project-accounts.iam.gserviceaccount.com (Gerrit)

unread,

4:40 AM (7 hours ago) 4:40 AM

to Kent Tamura, Fredrik Söderquist, chromium...@chromium.org, blink-...@chromium.org

chromiu...@luci-project-accounts.iam.gserviceaccount.com submitted the change

Change information

Commit message:

TextIterator: Fix a crash in substr()

The TextIterator could crash in String::substr() when
TextIteratorBehavior::EmitsOriginalText() was enabled and the layout
object was a LayoutTextFragment.

Specifically, LayoutTextFragment::OriginalText() can return a truncated
string, for example, when handling '::first-letter' pseudo-elements.
However, the unit.DOMStart() and unit.DOMEnd() values typically refer to
the full original text of the fragment. Attempting to call substr() on a
potentially truncated OriginalText() using these full-range DOM offsets
could lead to an out-of-bounds access and a crash.

To fix this, when EmitsOriginalText() is true and layout_text is
identified as a LayoutTextFragment, we now retrieve its complete text
using LayoutTextFragment::CompleteText(). This ensures that substr()
operates on the full string matching the DOM offsets, thereby preventing
the crash.

Bug: 500174824, 473854537

Change-Id: Iaf9279d60dcf2af69bcb96dac7c1333f27a214f4

Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7760194

Commit-Queue: Fredrik Söderquist <f...@opera.com>

Auto-Submit: Kent Tamura <tk...@chromium.org>

Reviewed-by: Fredrik Söderquist <f...@opera.com>

Cr-Commit-Position: refs/heads/main@{#1614313}

Files:

M third_party/blink/renderer/core/editing/iterators/text_iterator_test.cc
M third_party/blink/renderer/core/editing/iterators/text_iterator_text_node_handler.cc

Change size: S

Delta: 2 files changed, 20 insertions(+), 2 deletions(-)

Branch: refs/heads/main

Submit Requirements:

Code-Review: +1 by Fredrik Söderquist

Open in Gerrit

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

open

diffy

satisfied_requirement

Reply all

Reply to author

Forward

TextIterator: Fix a crash in substr() [chromium/src : main]

Kent Tamura (Gerrit)

Kent Tamura voted and added 1 comment

Votes added by Kent Tamura

1 comment

Related details

Fredrik Söderquist (Gerrit)

Fredrik Söderquist voted

Related details

chromium-scoped@luci-project-accounts.iam.gserviceaccount.com (Gerrit)

chromiu...@luci-project-accounts.iam.gserviceaccount.com submitted the change

Change information