[Webkit-unassigned] [Bug 210086] New: Use-after-move of Vector<ManipulationToken> in TextManipulationController::observeParagraphs()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Apr 6 17:52:06 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=210086

            Bug ID: 210086
           Summary: Use-after-move of Vector<ManipulationToken> in
                    TextManipulationController::observeParagraphs()
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: HTML Editing
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ddkilzer at webkit.org
                CC: rniwa at webkit.org, wenson_hsieh at apple.com

Use-after-move of Vector<ManipulationToken> in TextManipulationController::observeParagraphs().

This is not a security issue since the move constructor and the move assignment operator for WTF::Vector both do a swap().

This is to fix a clang static analyzer warning.

void TextManipulationController::observeParagraphs(const Position& start, const Position& end)
{
    [...]
    Vector<ManipulationToken> tokensInCurrentParagraph;
    [...]
    for (; !iterator.atEnd(); iterator.advance()) {
        [...]
        if (content.isReplacedContent) {
            [...]
            tokensInCurrentParagraph.append(ManipulationToken { m_tokenIdentifier.generate(), "[]", true /* isExcluded */});
            continue;
        }
        [...]
        while ((offsetOfNextNewLine = currentText.find('\n', startOfCurrentLine)) != notFound) {
            if (startOfCurrentLine < offsetOfNextNewLine) {
                [...]
                tokensInCurrentParagraph.append(ManipulationToken { m_tokenIdentifier.generate(), stringUntilEndOfLine, exclusionRuleMatcher.isExcluded(content.node.get()) });
            }

            if (!tokensInCurrentParagraph.isEmpty()) {
                [...]
                addItem(ManipulationItemData { startOfCurrentParagraph, endOfCurrentParagraph, nullptr, nullQName(), WTFMove(tokensInCurrentParagraph) });
                [...]
            }
            [...]
        }
        [...]
        if (remainingText.length())
            tokensInCurrentParagraph.append(ManipulationToken { m_tokenIdentifier.generate(), remainingText.toString(), exclusionRuleMatcher.isExcluded(content.node.get()) });
    }

    if (!tokensInCurrentParagraph.isEmpty())
        addItem(ManipulationItemData { startOfCurrentParagraph, visibleEnd.deepEquivalent(), nullptr, nullQName(), WTFMove(tokensInCurrentParagraph) });
}

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200407/f22e29a2/attachment-0001.htm>

More information about the webkit-unassigned mailing list