diff options
author | Rakina Zata Amni <rakina@chromium.org> | 2019-11-20 06:32:38 +0000 |
---|---|---|
committer | Michael Brüning <michael.bruning@qt.io> | 2020-03-06 12:04:13 +0000 |
commit | 31bf030226a0f1317605b1afa966e0fd1413af41 (patch) | |
tree | 554eb72bdd31e1cbaa69039f44654943ada27e85 | |
parent | 25b6ec913a1eca2608e9a056c62ddb15d0e15640 (diff) |
[Backport] CVE-2020-6404 - Inappropriate implementation in Blink
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1924031:
Use unicode max codepoint for delimiter instead of ORC, and skip buffers with null NGOffsetMapping
It's possible to try to find the Object Replacement Character (ORC), so
we should not use that as a delimiter of invalid elements as we might
wrongfully think that the delimiters are an actual match, causing
crashes.
Additionally in some cases layout might fail causing the FindBuffer to
have null NGOffsetMapping, causing crashes. In this case we should skip
the entire block as we can't get the ranges correctly.
Bug: 1020105, 1002753, 1024256
Change-Id: I3beb2231aa06c98906291760e0a60f89b50288e2
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
-rw-r--r-- | chromium/third_party/blink/renderer/core/editing/finder/find_buffer.cc | 8 | ||||
-rw-r--r-- | chromium/third_party/blink/renderer/core/editing/finder/find_buffer_test.cc | 8 |
2 files changed, 14 insertions, 2 deletions
diff --git a/chromium/third_party/blink/renderer/core/editing/finder/find_buffer.cc b/chromium/third_party/blink/renderer/core/editing/finder/find_buffer.cc index afdb08647d2..f43b55ab078 100644 --- a/chromium/third_party/blink/renderer/core/editing/finder/find_buffer.cc +++ b/chromium/third_party/blink/renderer/core/editing/finder/find_buffer.cc @@ -224,7 +224,11 @@ EphemeralRangeInFlatTree FindBuffer::FindMatchInRange( std::unique_ptr<FindBuffer::Results> FindBuffer::FindMatches( const WebString& search_text, const blink::FindOptions options) const { - if (buffer_.IsEmpty() || search_text.length() > buffer_.size()) + // We should return empty result if it's impossible to get a match (buffer is + // empty or too short), or when something went wrong in layout, in which case + // |offset_mapping_| is null. + if (buffer_.IsEmpty() || search_text.length() > buffer_.size() || + !offset_mapping_) return std::make_unique<Results>(); String search_text_16_bit = search_text; search_text_16_bit.Ensure16Bit(); @@ -320,7 +324,7 @@ void FindBuffer::CollectTextUntilBlockBoundary( // Move the node so we wouldn't encounter this node or its descendants // later. if (!IsHTMLWBRElement(To<HTMLElement>(*node))) - buffer_.push_back(kObjectReplacementCharacter); + buffer_.push_back(kMaxCodepoint); node = FlatTreeTraversal::NextSkippingChildren(*node); continue; } diff --git a/chromium/third_party/blink/renderer/core/editing/finder/find_buffer_test.cc b/chromium/third_party/blink/renderer/core/editing/finder/find_buffer_test.cc index 0eb99506c26..93661531cfb 100644 --- a/chromium/third_party/blink/renderer/core/editing/finder/find_buffer_test.cc +++ b/chromium/third_party/blink/renderer/core/editing/finder/find_buffer_test.cc @@ -650,4 +650,12 @@ TEST_F(FindBufferTest, NullRange) { EXPECT_EQ(0u, buffer.FindMatches("find", 0)->CountForTesting()); } +TEST_F(FindBufferTest, FindObjectReplacementCharacter) { + SetBodyContent( + "some text with <br> and \uFFFC (object replacement character)"); + FindBuffer buffer(WholeDocumentRange()); + const auto results = buffer.FindMatches("\uFFFC", 0); + ASSERT_EQ(1u, results->CountForTesting()); +} + } // namespace blink |