[Backport] Security bug 379254069

Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/6055965:
Layout: Fix a crash with tex-transform and -webkit-text-security

Uppercasing U+1FB7 and applying -webkit-text-security caused a crash.

- Changing an existing DCHECK to CHECK to catch errors like this
  earlier.

Bug: 379254069
Change-Id: I50080aee06fdf35124a0b7fa6071a5e9dfe0fa42
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6055965
Auto-Submit: Kent Tamura <[email protected]>
Reviewed-by: Koji Ishii <[email protected]>
Commit-Queue: Koji Ishii <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1390243}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/611750
Reviewed-by: Anu Aliyas <[email protected]>

Author: tkent-google

chromium/third_party/blink/renderer/core/layout/layout_text.cc

@@ -916,7 +916,9 @@ String LayoutText::TransformAndSecureText(const String& original,
     }
     auto [masked, secure_map] = SecureText(transformed, mask);
     if (!secure_map.IsEmpty()) {
-      offset_map = TextOffsetMap(offset_map, secure_map);
+      offset_map = TextOffsetMap(
+          offset_map, secure_map,
+          RuntimeEnabledFeatures::TextTransformAndSecurityFixEnabled());
     }
     return masked;
   }

chromium/third_party/blink/renderer/platform/runtime_enabled_features.json5

@@ -4175,6 +4175,11 @@
       status: "stable",
       depends_on: ["ScrollTimeline"]
     },
+    {
+      // crbug.com/379254069
+      name: "TextTransformAndSecurityFix",
+      status: "stable",
+    },
     {
       name: "TimerThrottlingForBackgroundTabs",
       public: true,

chromium/third_party/blink/renderer/platform/wtf/text/text_offset_map.cc

@@ -48,7 +48,8 @@ std::ostream& operator<<(std::ostream& stream,
 }
 
 TextOffsetMap::TextOffsetMap(const TextOffsetMap& map12,
-                             const TextOffsetMap& map23) {
+                             const TextOffsetMap& map23,
+                             bool fix_crash) {
   if (map12.IsEmpty()) {
     entries_ = map23.entries_;
     return;
@@ -91,7 +92,12 @@ TextOffsetMap::TextOffsetMap(const TextOffsetMap& map12,
       ++index12;
       ++index23;
     } else {
-      Append(entry23.source - offset_diff_12, entry23.target);
+      DCHECK_GT(entry12.target, entry23.source);
+      if (fix_crash && chunk_length_diff_12 > 0 && chunk_length_diff_23 < 0) {
+        // No need to append entry23 because it is included in entry12.
+      } else {
+        Append(entry23.source - offset_diff_12, entry23.target);
+      }
       offset_diff_23 = entry23.target - entry23.source;
       ++index23;
     }
@@ -107,8 +113,8 @@ TextOffsetMap::TextOffsetMap(const TextOffsetMap& map12,
 }
 
 void TextOffsetMap::Append(wtf_size_t source, wtf_size_t target) {
-  DCHECK(IsEmpty() ||
-         (source > entries_.back().source && target > entries_.back().target));
+  CHECK(IsEmpty() ||
+        (source > entries_.back().source && target > entries_.back().target));
   entries_.emplace_back(source, target);
 }
 

chromium/third_party/blink/renderer/platform/wtf/text/text_offset_map.h

@@ -42,7 +42,9 @@ class WTF_EXPORT TextOffsetMap {
   // Suppose that we mapped string-1 to string-2 with producing map12, and
   // we mapped string-2 to string-3 with producing map23. This constructor
   // creates a TextOffsetMap instance for mapping string-1 to string-3.
-  TextOffsetMap(const TextOffsetMap& map12, const TextOffsetMap& map23);
+  TextOffsetMap(const TextOffsetMap& map12,
+                const TextOffsetMap& map23,
+                bool fix_crash);
 
   bool IsEmpty() const { return entries_.empty(); }