Guard Against Bad Classifications

Added safety valve so that there will be no attempt to set an attribute on an string beyond its end.
Also, be consistent in using NSInteger by carrying around |nextOffset| as one.
Enhanced the diagnostic output for the AutocompleteMatch::ValidateClassifications function so that the underlying perpetrator of the problem can more easily be identified.

NOTE: This is a partial fix in that the true underlying cause of the bad classification range has not yet been addressed. So this bug will be left open.

BUG=121703
TEST=Visit http://www.hurriyet.com.tr/. Bring up a new tab. Type 's' into the omnibox. No crash means success.
Review URL: https://chromiumcodereview.appspot.com/10537010

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@140747 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 20 insertions, 5 deletions

diff --git a/chrome/browser/autocomplete/autocomplete_match.cc b/chrome/browser/autocomplete/autocomplete_match.cc
index 82d9d2a..13bee33 100644
--- a/chrome/browser/autocomplete/autocomplete_match.cc
+++ b/chrome/browser/autocomplete/autocomplete_match.cc
@@ -7,6 +7,7 @@
 #include "base/logging.h"
 #include "base/string_number_conversions.h"
 #include "base/string_util.h"
+#include "chrome/browser/autocomplete/autocomplete.h"
 #include "chrome/browser/search_engines/template_url.h"
 #include "chrome/browser/search_engines/template_url_service.h"
 #include "chrome/browser/search_engines/template_url_service_factory.h"
@@ -336,9 +337,13 @@ void AutocompleteMatch::ValidateClassifications(
   for (ACMatchClassifications::const_iterator i(classifications.begin() + 1);
        i != classifications.end(); ++i) {
     DCHECK_GT(i->offset, last_offset)
-        << "Classification unsorted for \"" << text << '"';
+        << " Classification for \"" << text << "\" with offset of " << i->offset
+        << " is unsorted in relation to last offset of " << last_offset
+        << ". Provider: " << (provider ? provider->name() : "None") << ".";
     DCHECK_LT(i->offset, text.length())
-        << "Classification out of bounds for \"" << text << '"';
+        << " Classification of [" << i->offset << "," << text.length()
+        << "] is out of bounds for \"" << text << "\". Provider: "
+        << (provider ? provider->name() : "None") << ".";
     last_offset = i->offset;
   }
 }
diff --git a/chrome/browser/ui/cocoa/omnibox/omnibox_popup_view_mac.mm b/chrome/browser/ui/cocoa/omnibox/omnibox_popup_view_mac.mm
index 566896d..6bab836 100644
--- a/chrome/browser/ui/cocoa/omnibox/omnibox_popup_view_mac.mm
+++ b/chrome/browser/ui/cocoa/omnibox/omnibox_popup_view_mac.mm
@@ -117,14 +117,24 @@ NSMutableAttributedString* OmniboxPopupViewMac::DecorateMatchedString(
                                               attributes:attributes]
         autorelease];
 
+  // As a protective measure, bail if the length of the match string is not
+  // the same as the length of the converted NSString. http://crbug.com/121703
+  if ([s length] != matchString.size())
+    return as;
+
   // Mark up the runs which differ from the default.
   for (ACMatchClassifications::const_iterator i = classifications.begin();
        i != classifications.end(); ++i) {
     const BOOL isLast = (i+1) == classifications.end();
-    const size_t nextOffset = (isLast ? matchString.length() : (i + 1)->offset);
+    const NSInteger nextOffset =
+        (isLast ? [s length] : static_cast<NSInteger>((i + 1)->offset));
     const NSInteger location = static_cast<NSInteger>(i->offset);
-    const NSInteger length = static_cast<NSInteger>(nextOffset - i->offset);
-    const NSRange range = NSMakeRange(location, length);
+    const NSInteger length = nextOffset - static_cast<NSInteger>(i->offset);
+    // Guard against bad, off-the-end classification ranges.
+    if (i->offset >= [s length] || length <= 0)
+      break;
+    const NSRange range = NSMakeRange(location,
+        MIN(length, static_cast<NSInteger>([s length]) - location));
 
     if (0 != (i->style & ACMatchClassification::URL)) {
       [as addAttribute:NSForegroundColorAttributeName