RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 08:17:35 +00:00
Code Issues Activity Actions

LibGUI: Prevent crashes/hangs when deleting words backwards

Browse source 
When the user hits <Ctrl-Backspace> where the previous content has the
format [Punctuation|Seperator]+ before the cursor, there will be a
size_t index underflow in TextDocument::first_word_break_before,
which returns an invalid word break position with a huge column index
(18446744073709551615, -1 in size_t). The invalid text position later
used for executing RemoveTextCommand will cause a crash.

The while loop condition in TextDocument::first_word_break_before is
not right, the loop will never stop when the target.column() becomes
0 inside.
This commit is contained in:
Xuekun Li 2023-05-06 18:24:14 +08:00 committed by Sam Atkins
parent 6f39882f11
commit a33af174b2
1 changed files with 2 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

7
Userland/Libraries/LibGUI/TextDocument.cpp
View file

@ -754,15 +754,12 @@ TextPosition TextDocument::first_word_break_before(TextPosition const& position,
target.set_column(target.column() - modifier);
if (target.column() == 0)
return target;
while (target.column() < line.length()) {
while (target.column() > 0) {
if (auto index = Unicode::previous_word_segmentation_boundary(line.view(), target.column()); index.has_value()) {
auto view_between_target_and_index = line.view().substring_view(*index, target.column() - *index);
if (should_continue_beyond_word(view_between_target_and_index)) {
target.set_column(*index - 1);
target.set_column(*index == 0 ? 0 : *index - 1);
continue;
}