New issue
Advanced search Search tips

Issue 601138 link

Starred by 4 users

Issue metadata

Status: Archived
Owner: ----
Closed: Apr 2017
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 3
Type: ----



Sign in to add a comment

IndexOutOfBoundsException when pasting

Reported by lquinn@blackberry.com, Apr 6 2016

Issue description

Device name: Nexus 5

From "Settings > About Chrome"
Application version: 49.0.2623.105
OS: Android 6.0.1; Nexus 5 Build/MMB29V

Steps to reproduce:
(1) Go to a large Web page. I used http://www.twowheelingtots.com/woom2-and-3/ for testing.
(2) Long-press on the Web page and choose Select All followed by Copy.
(3) Go to a simple content-editable page. I used a local test page that just has <body contenteditable="true"></body>.
(4) In the content-editable field, long-press and Paste.
(5) Repeat step 4 until a crash happens (should take less than 10 paste operations).

Expected result:
No crash.

Actual result:

04-06 14:11:21.048  9209  9209 W System.err: java.lang.IndexOutOfBoundsException: setSpan (-37304 ... -37304) starts before 0
04-06 14:11:21.071  9209  9209 W System.err: 	at android.text.SpannableStringBuilder.checkRange(SpannableStringBuilder.java:1095)
04-06 14:11:21.072  9209  9209 W System.err: 	at android.text.SpannableStringBuilder.setSpan(SpannableStringBuilder.java:665)
04-06 14:11:21.072  9209  9209 W System.err: 	at android.text.SpannableStringBuilder.replace(SpannableStringBuilder.java:543)
04-06 14:11:21.072  9209  9209 W System.err: 	at android.text.SpannableStringBuilder.replace(SpannableStringBuilder.java:492)
04-06 14:11:21.072  9209  9209 W System.err: 	at android.text.SpannableStringBuilder.replace(SpannableStringBuilder.java:34)
04-06 14:11:21.072  9209  9209 W System.err: 	at org.chromium.content.browser.input.ReplicaInputConnection.updateStateOnUiThread(ReplicaInputConnection.java:127)
04-06 14:11:21.072  9209  9209 W System.err: 	at org.chromium.content.browser.input.ImeAdapter.updateState(ImeAdapter.java:262)
04-06 14:11:21.072  9209  9209 W System.err: 	at org.chromium.content.browser.ContentViewCore.updateImeAdapter(ContentViewCore.java:2412)
04-06 14:11:21.072  9209  9209 W System.err: 	at org.chromium.base.SystemMessageHandler.nativeDoRunLoopOnce(Native Method)
04-06 14:11:21.072  9209  9209 W System.err: 	at org.chromium.base.SystemMessageHandler.handleMessage(SystemMessageHandler.java:39)
04-06 14:11:21.072  9209  9209 W System.err: 	at android.os.Handler.dispatchMessage(Handler.java:102)
04-06 14:11:21.072  9209  9209 W System.err: 	at android.os.Looper.loop(Looper.java:148)
04-06 14:11:21.072  9209  9209 W System.err: 	at android.app.ActivityThread.main(ActivityThread.java:5417)
04-06 14:11:21.072  9209  9209 W System.err: 	at java.lang.reflect.Method.invoke(Native Method)
04-06 14:11:21.072  9209  9209 W System.err: 	at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:764)
04-06 14:11:21.072  9209  9209 W System.err: 	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:626)
04-06 14:11:21.073  9209  9209 F chromium: [FATAL:jni_android.cc(233)] Check failed: false. Please include Java exception stack in crash report

 
This is also reproducible using Chrome Beta 50.0.2661.57 and Chrome Dev 51.0.2693.2.

Comment 2 by kwal...@rim.com, Apr 11 2016

Hi there, I was wondering if anyone would be able to take a look at this item?
There is an int overflow in the Android class SpannableStringBuilder, inside the replace() method on line 539:

final int offset = (selectionStart - start) * newLen / origLen;

the multiplication in this statement causes an overflow, which then causes an exception to be thrown later when the value is checked
Project Member

Comment 4 by sheriffbot@chromium.org, Apr 21 2017

Status: Archived (was: Unconfirmed)
Issue has not been modified or commented on in the last 365 days, please re-open or file a new bug if this is still an issue.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment