[Webkit-unassigned] [Bug 226398] Crash in HTMLConverter::_addLinkForElement()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jun 1 11:16:42 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=226398
--- Comment #3 from Julian Gonzalez <julian_a_gonzalez at apple.com> ---
(In reply to Ryosuke Niwa from comment #2)
> Comment on attachment 430058 [details]
> Patch
>
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=430058&action=review
>
> > Source/WebCore/editing/cocoa/HTMLConverter.mm:2219
> > - _exitElement(element, depth, startIndex);
> > + if (startIndex <= [_attrStr length])
>
> It seems that we don't even want to call _processElement when this condition
> isn't met?
When the call to _processElement happens, startIndex is within the bounds of [_attrStr length]. The operations inside the else block right above here cause this condition to be violated (this code assuming that [_attrStr length] does not change is the bug).
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210601/6c00e6b8/attachment.htm>
More information about the webkit-unassigned
mailing list