Crash under WebCore::DataDetection::detectContentInRange()

https://bugs.webkit.org/show_bug.cgi?id=241823 <rdar://95110928> Reviewed by Wenson Hsieh. The crash occurs in the wild when calling TextIterator::range() and TextIterator::m_positionNode is null. Do some hardening and early return before calling TextIterator::range() and TextIterator::atEnd() returns true to avoid the issue. * Source/WebCore/editing/cocoa/DataDetection.mm: (WebCore::DataDetection::detectContentInRange): Canonical link: https://commits.webkit.org/251735@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@295730 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Jun 22, 2022 · 43e883c · 43e883c
1 parent 035e7bf
commit 43e883c
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/Source/WebCore/editing/cocoa/DataDetection.mm b/Source/WebCore/editing/cocoa/DataDetection.mm
@@ -498,8 +498,12 @@ static inline CFComparisonResult queryOffsetCompare(DDQueryOffset o1, DDQueryOff
         for (auto& result : allResults) {
             DDQueryRange queryRange = PAL::softLink_DataDetectorsCore_DDResultGetQueryRangeForURLification(result.get());
             CFIndex iteratorTargetAdvanceCount = (CFIndex)PAL::softLink_DataDetectorsCore_DDScanQueryGetFragmentMetaData(scanQuery.get(), queryRange.start.queryIndex);
-            for (; iteratorCount < iteratorTargetAdvanceCount; ++iteratorCount)
+            for (; iteratorCount < iteratorTargetAdvanceCount && !iterator.atEnd(); ++iteratorCount)
                 iterator.advance();
+            if (iterator.atEnd()) {
+                ASSERT_NOT_REACHED();
+                return nil;
+            }
 
             Vector<SimpleRange> fragmentRanges;
             CFIndex fragmentIndex = queryRange.start.queryIndex;
@@ -517,8 +521,12 @@ static inline CFComparisonResult queryOffsetCompare(DDQueryOffset o1, DDQueryOff
             while (fragmentIndex < queryRange.end.queryIndex) {
                 ++fragmentIndex;
                 iteratorTargetAdvanceCount = (CFIndex)PAL::softLink_DataDetectorsCore_DDScanQueryGetFragmentMetaData(scanQuery.get(), fragmentIndex);
-                for (; iteratorCount < iteratorTargetAdvanceCount; ++iteratorCount)
+                for (; iteratorCount < iteratorTargetAdvanceCount && !iterator.atEnd(); ++iteratorCount)
                     iterator.advance();
+                if (iterator.atEnd()) {
+                    ASSERT_NOT_REACHED();
+                    return nil;
+                }
 
                 auto fragmentRange = iterator.range();
                 if (fragmentIndex == queryRange.end.queryIndex)