From a33af174b295bde35ad9dc1f2f6b7698b7df0454 Mon Sep 17 00:00:00 2001 From: Xuekun Li Date: Sat, 6 May 2023 18:24:14 +0800 Subject: [PATCH] LibGUI: Prevent crashes/hangs when deleting words backwards When the user hits where the previous content has the format [Punctuation|Seperator]+ before the cursor, there will be a size_t index underflow in TextDocument::first_word_break_before, which returns an invalid word break position with a huge column index (18446744073709551615, -1 in size_t). The invalid text position later used for executing RemoveTextCommand will cause a crash. The while loop condition in TextDocument::first_word_break_before is not right, the loop will never stop when the target.column() becomes 0 inside. --- Userland/Libraries/LibGUI/TextDocument.cpp | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/Userland/Libraries/LibGUI/TextDocument.cpp b/Userland/Libraries/LibGUI/TextDocument.cpp index 182004504d..0b6e166058 100644 --- a/Userland/Libraries/LibGUI/TextDocument.cpp +++ b/Userland/Libraries/LibGUI/TextDocument.cpp @@ -754,15 +754,12 @@ TextPosition TextDocument::first_word_break_before(TextPosition const& position, target.set_column(target.column() - modifier); - if (target.column() == 0) - return target; - - while (target.column() < line.length()) { + while (target.column() > 0) { if (auto index = Unicode::previous_word_segmentation_boundary(line.view(), target.column()); index.has_value()) { auto view_between_target_and_index = line.view().substring_view(*index, target.column() - *index); if (should_continue_beyond_word(view_between_target_and_index)) { - target.set_column(*index - 1); + target.set_column(*index == 0 ? 0 : *index - 1); continue; }