LibGUI: Prevent crashes/hangs when deleting words backwards

When the user hits <Ctrl-Backspace> where the previous content has the format [Punctuation|Seperator]+ before the cursor, there will be a size_t index underflow in TextDocument::first_word_break_before, which returns an invalid word break position with a huge column index (18446744073709551615, -1 in size_t). The invalid text position later used for executing RemoveTextCommand will cause a crash. The while loop condition in TextDocument::first_word_break_before is not right, the loop will never stop when the target.column() becomes 0 inside.
lixk28 · Jun 7, 2023 · 3e9f9c4 · 3e9f9c4
1 parent 0eb7c24
commit 3e9f9c4
Showing 1 changed file with 2 additions and 5 deletions.
diff --git a/Userland/Libraries/LibGUI/TextDocument.cpp b/Userland/Libraries/LibGUI/TextDocument.cpp
@@ -754,15 +754,12 @@ TextPosition TextDocument::first_word_break_before(TextPosition const& position,
 
     target.set_column(target.column() - modifier);
 
-    if (target.column() == 0)
-        return target;
-
-    while (target.column() < line.length()) {
+    while (target.column() > 0) {
         if (auto index = Unicode::previous_word_segmentation_boundary(line.view(), target.column()); index.has_value()) {
             auto view_between_target_and_index = line.view().substring_view(*index, target.column() - *index);
 
             if (should_continue_beyond_word(view_between_target_and_index)) {
-                target.set_column(*index - 1);
+                target.set_column(*index == 0 ? 0 : *index - 1);
                 continue;
             }