Treat out of gfx::Range limit NSRange as NSNotFound

[NSRange location] might be larger than 2^32-1. When this happens, the range check in gfx::Range ctor will fail. Thus, speculatively fix it by treating out of limit NSRange as NSNotFound range. Bug: 1345195 Change-Id: Ia7cb5744cbef631b74131191807fa24766bf8e02 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3775034 Reviewed-by: Leonard Grey <lgrey@chromium.org> Commit-Queue: Keren Zhu <kerenzhu@chromium.org> Cr-Commit-Position: refs/heads/main@{#1026307}
marcosholgado · Jul 20, 2022 · e814777 · e814777
1 parent eb69bde
commit e814777
Showing 1 changed file with 11 additions and 6 deletions.
diff --git a/components/remote_cocoa/app_shim/bridged_content_view.mm b/components/remote_cocoa/app_shim/bridged_content_view.mm
@@ -1375,15 +1375,20 @@ - (BOOL)readSelectionFromPasteboard:(NSPasteboard*)pboard {
 - (NSAttributedString*)attributedSubstringForProposedRange:(NSRange)range
                                                actualRange:
                                                    (NSRangePointer)actualRange {
-  // On TouchBar Macs, the IME subsystem sometimes sends an invalid range with a
-  // non-zero length. This will cause a DCHECK in gfx::Range, so repair it here.
-  // See https://crbug.com/888782.
-  if (range.location == NSNotFound) {
+  // NSRange uses uint64 but gfx::Range uses uint32 limits. This mismatch might
+  // cause DCHECK in gfx::Range ctor during type conversion.
+  // Speculatively treat out of uint32 limit NSRange as NSNotFound.
+  // See https://crbug.com/1345195.
+  constexpr size_t gfx_range_max = std::numeric_limits<uint32_t>::max();
+  if (range.location > gfx_range_max) {
+    range.location = NSNotFound;
+    // On TouchBar Macs, the IME subsystem sometimes sends an invalid range with
+    // a non-zero length. This will cause a DCHECK in gfx::Range, so repair it
+    // here. See https://crbug.com/888782.
     range.length = 0;
   } else {
     // Clamp lengths to avoid overflow, which will cause a checkfailure.
-    range.length = std::min(
-        range.length, std::numeric_limits<uint32_t>::max() - range.location);
+    range.length = std::min(range.length, gfx_range_max - range.location);
   }
 
   std::u16string substring;