commit 588966727fcd10136cc3131acb4e65b922866094
author cdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Wed Jun 22 15:16:08 2022 +0000
committer cdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Wed Jun 22 15:16:08 2022 +0000
tree d00845d6b8574cbfd9ccc0ae84cda48149344709
parent ed630b29b813d21f8c4da5c865326dddf8e25d5d

Crash under WebCore::DataDetection::detectContentInRange()
https://bugs.webkit.org/show_bug.cgi?id=241823
<rdar://95110928>

Reviewed by Wenson Hsieh.

The crash occurs in the wild when calling TextIterator::range() and
TextIterator::m_positionNode is null. Do some hardening and early return before
calling TextIterator::range() and TextIterator::atEnd() returns true to avoid
the issue.

* Source/WebCore/editing/cocoa/DataDetection.mm:
(WebCore::DataDetection::detectContentInRange):

Canonical link: https://commits.webkit.org/251735@main


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@295730 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/editing/cocoa/DataDetection.mm

diff --git a/Source/WebCore/editing/cocoa/DataDetection.mm b/Source/WebCore/editing/cocoa/DataDetection.mm
index 601f470..7671285 100644
--- a/Source/WebCore/editing/cocoa/DataDetection.mm
+++ b/Source/WebCore/editing/cocoa/DataDetection.mm
@@ -498,8 +498,12 @@
         for (auto& result : allResults) {
             DDQueryRange queryRange = PAL::softLink_DataDetectorsCore_DDResultGetQueryRangeForURLification(result.get());
             CFIndex iteratorTargetAdvanceCount = (CFIndex)PAL::softLink_DataDetectorsCore_DDScanQueryGetFragmentMetaData(scanQuery.get(), queryRange.start.queryIndex);
-            for (; iteratorCount < iteratorTargetAdvanceCount; ++iteratorCount)
+            for (; iteratorCount < iteratorTargetAdvanceCount && !iterator.atEnd(); ++iteratorCount)
                 iterator.advance();
+            if (iterator.atEnd()) {
+                ASSERT_NOT_REACHED();
+                return nil;
+            }
 
             Vector<SimpleRange> fragmentRanges;
             CFIndex fragmentIndex = queryRange.start.queryIndex;
@@ -517,8 +521,12 @@
             while (fragmentIndex < queryRange.end.queryIndex) {
                 ++fragmentIndex;
                 iteratorTargetAdvanceCount = (CFIndex)PAL::softLink_DataDetectorsCore_DDScanQueryGetFragmentMetaData(scanQuery.get(), fragmentIndex);
-                for (; iteratorCount < iteratorTargetAdvanceCount; ++iteratorCount)
+                for (; iteratorCount < iteratorTargetAdvanceCount && !iterator.atEnd(); ++iteratorCount)
                     iterator.advance();
+                if (iterator.atEnd()) {
+                    ASSERT_NOT_REACHED();
+                    return nil;
+                }
 
                 auto fragmentRange = iterator.range();
                 if (fragmentIndex == queryRange.end.queryIndex)