diff options
| author | Etienne Bergeron <etienneb@chromium.org> | 2022-07-19 16:46:43 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-08-03 10:08:01 +0000 |
| commit | dfede62a6e14e64c839acaee5f6790fd311e052f (patch) | |
| tree | 18d27125a35fe82be17038ae34a816ea5aab6482 | |
| parent | 23b231e6ced518daf63ac549f1618bf3d2397ce5 (diff) | |
| download | qtwebengine-chromium-dfede62a6e14e64c839acaee5f6790fd311e052f.tar.gz | |
[Backport] Security bug 1287804
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3726349:
Fix incorrect text itemization for \r codepoint
M96 merge issues:
render_text_unittest.cc
Tests Clusterfuzz_Issue_1298286/1299054 aren't present
in M96 and caused a merge conflict.
The "\r" codepoint should be split to be rendered in a single
harfbuzz run (same as "\n").
We do recognize these sequences as newline:
\r
\n
\r\n
Previously, the itemization will leave the "\r" with the previous
run. This is leading to incorrect multiline lines splitting.
(cherry picked from commit eee0c5ca752ad50df9986c551cb98226ce078893)
Bug: 1287804
Change-Id: Idfc00a3cf147eb53258d5da9ea105e2d6dc25f05
Commit-Queue: Etienne Bergeron <etienneb@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1014955}
Reviewed-by: Etienne Bergeron <etienneb@chromium.org>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/4664@{#1662}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rw-r--r-- | chromium/ui/gfx/render_text_harfbuzz.cc | 2 | ||||
| -rw-r--r-- | chromium/ui/gfx/render_text_unittest.cc | 13 |
2 files changed, 14 insertions, 1 deletions
diff --git a/chromium/ui/gfx/render_text_harfbuzz.cc b/chromium/ui/gfx/render_text_harfbuzz.cc index c731b008771..b5ea06da8cb 100644 --- a/chromium/ui/gfx/render_text_harfbuzz.cc +++ b/chromium/ui/gfx/render_text_harfbuzz.cc @@ -200,7 +200,7 @@ GraphemeProperties RetrieveGraphemeProperties(const base::StringPiece16& text, properties.block = ublock_getCode(codepoint); } - if (codepoint == '\n' || codepoint == ' ') + if (codepoint == '\n' || codepoint == '\r' || codepoint == ' ') properties.has_control = true; if (IsBracket(codepoint)) properties.has_bracket = true; diff --git a/chromium/ui/gfx/render_text_unittest.cc b/chromium/ui/gfx/render_text_unittest.cc index 80c27f9b828..2c39e45fce2 100644 --- a/chromium/ui/gfx/render_text_unittest.cc +++ b/chromium/ui/gfx/render_text_unittest.cc @@ -1569,6 +1569,9 @@ const RunListCase kBasicsRunListCases[] = { {"multiline_newline1", u"\n\n", "[0][1]", true}, {"multiline_newline2", u"\r\n\r\n", "[0->1][2->3]", true}, {"multiline_newline3", u"\r\r\n", "[0][1->2]", true}, + {"multiline_newline4", u"x\r\r", "[0][1][2]", true}, + {"multiline_newline5", u"x\n\r\r", "[0][1][2][3]", true}, + {"multiline_newline6", u"x\ny\rz\r\n", "[0][1][2][3][4][5->6]", true}, }; INSTANTIATE_TEST_SUITE_P(ItemizeTextToRunsBasics, @@ -8416,4 +8419,14 @@ TEST_F(RenderTextTest, StringSizeUpdatedWhenDeviceScaleFactorChanges) { } #endif +TEST_F(RenderTextTest, Clusterfuzz_Issue_1287804) { + RenderText* render_text = GetRenderText(); + render_text->SetMaxLines(1); + render_text->SetText(u">\r\r"); + render_text->SetMultiline(true); + render_text->SetDisplayRect(Rect(0, 0, 100, 24)); + render_text->SetElideBehavior(ELIDE_TAIL); + EXPECT_EQ(RangeF(0, 0), render_text->GetCursorSpan(Range(0, 0))); +} + } // namespace gfx |