Google Git
Sign in
chromium/chromium/src.git/bcc01c0c6c4a16226262444d78461144fe54a42a^!/.
commit
bcc01c0c6c4a16226262444d78461144fe54a42a
[log] [tgz]
author
Rakina Zata Amni <rakina@chromium.org>
Wed Nov 20 06:32:38 2019
committer
Commit Bot <commit-bot@chromium.org>
Wed Nov 20 06:32:38 2019
tree
a499262688402a3e0b21622379e02f3637b3f444
parent
8067ccd6ca20a74011bb06c60b08c40343fc0f19 [diff]
Use unicode max codepoint for delimiter instead of ORC, and skip buffers with null NGOffsetMapping

It's possible to try to find the Object Replacement Character (ORC), so
we should not use that as a delimiter of invalid elements as we might
wrongfully think that the delimiters are an actual match, causing
crashes.

Additionally in some cases layout might fail causing the FindBuffer to
have null NGOffsetMapping, causing crashes. In this case we should skip
the entire block as we can't get the ranges correctly.

Bug: 1020105, 1002753, 1024256
Change-Id: I4c4cc886a84a919a617789db6d3bb0351a5d7477
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1924031
Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
Commit-Queue: Rakina Zata Amni <rakina@chromium.org>
Cr-Commit-Position: refs/heads/master@{#716882}

diff --git a/third_party/blink/renderer/core/editing/finder/find_buffer.cc b/third_party/blink/renderer/core/editing/finder/find_buffer.cc
index 6354101..1937644 100644
--- a/third_party/blink/renderer/core/editing/finder/find_buffer.cc
+++ b/third_party/blink/renderer/core/editing/finder/find_buffer.cc

@@ -225,7 +225,11 @@
 std::unique_ptr<FindBuffer::Results> FindBuffer::FindMatches(
     const WebString& search_text,
     const blink::FindOptions options) const {
-  if (buffer_.IsEmpty() || search_text.length() > buffer_.size())
+  // We should return empty result if it's impossible to get a match (buffer is
+  // empty or too short), or when something went wrong in layout, in which case
+  // |offset_mapping_| is null.
+  if (buffer_.IsEmpty() || search_text.length() > buffer_.size() ||
+      !offset_mapping_)
     return std::make_unique<Results>();
   String search_text_16_bit = search_text;
   search_text_16_bit.Ensure16Bit();
@@ -322,7 +326,7 @@
       // Move the node so we wouldn't encounter this node or its descendants
       // later.
       if (!IsHTMLWBRElement(To<HTMLElement>(*node)))
-        buffer_.push_back(kObjectReplacementCharacter);
+        buffer_.push_back(kMaxCodepoint);
       node = FlatTreeTraversal::NextSkippingChildren(*node);
       continue;
     }

diff --git a/third_party/blink/renderer/core/editing/finder/find_buffer_test.cc b/third_party/blink/renderer/core/editing/finder/find_buffer_test.cc
index 44dd1ee..cb73b860 100644
--- a/third_party/blink/renderer/core/editing/finder/find_buffer_test.cc
+++ b/third_party/blink/renderer/core/editing/finder/find_buffer_test.cc

@@ -650,4 +650,12 @@
   EXPECT_EQ(0u, buffer.FindMatches("find", 0)->CountForTesting());
 }
 
+TEST_F(FindBufferTest, FindObjectReplacementCharacter) {
+  SetBodyContent(
+      "some text with <br> and \uFFFC (object replacement character)");
+  FindBuffer buffer(WholeDocumentRange());
+  const auto results = buffer.FindMatches("\uFFFC", 0);
+  ASSERT_EQ(1u, results->CountForTesting());
+}
+
 }  // namespace blink