Closed Bug 841174 Opened 11 years ago Closed 11 years ago

Out of bounds in nsSVGTextFrame2::DoAnchoring with svg.text.css-frames.enabled

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla21

People

(Reporter: jruderman, Assigned: heycam)

References

Details

(Keywords: assertion, testcase)

Attachments

(3 files)

testcase (asserts fatally when loaded)
105 bytes, image/svg+xml
Details
stack
7.92 KB, text/plain
Details
patch
3.79 KB, patch
jwatt
: review+
Details | Diff | Splinter Review 
With:
  user_pref("svg.text.css-frames.enabled", true);

Assertion failure: i < Length() (invalid array index), at ../../dist/include/nsTArray.h:632

[@ nsSVGTextFrame2::DoAnchoring]
Attached file stack 

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patchSplinter Review
      

    


  
The test has a ::first-letter that applies to a combining character.  As part of the text frame splitting done by the ::first-letter handling, there is an empty nsTextFrame (its content length is 0) followed by a non-empty nsContinuingTextFrame (its content offset is 0 and content length is 2).  The IsNonEmptyTextFrame function was meant to handle empty text frames like this, but it was looking at the corresponding content nsTextNode to see if it is empty.  In this case, the empty nsTextFrame's corresponding nsTextNode is the single nsTextNode that contains the combining mark and the following normal character.  So it was being treated as a non-empty nsTextFrame.

The patch changes IsNonEmptyTextFrame to look at the actual content length value on the nsTextFrame to determine if it is empty, which works both with the other cases that IsNonEmptyTextFrame worked for (empty text nodes created with createTextNode()) and this case where the text is split due to ::first-letter.
Assignee: nobody → cam
Status: NEW → ASSIGNED

        Attachment #713775 -
        Flags: review?(jwatt)

        Attachment #713775 -
        Flags: review?(jwatt) → review+

    
    

    
  
Thanks for the clear description.

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/47651a71a556
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla21

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: