Mercurial > integration > mozilla-inbound / changeset / 362d0632ed6715072a20f3ff4bfcf39969b1e9a2
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Bug 842630 - Fix out of bounds in nsSVGTextFrame2::ResolvePositions. r=heycam
authorRobert Longson <longsonr@gmail.com>
Wed, 27 Mar 2013 10:19:02 +0000
changeset 126347 362d0632ed6715072a20f3ff4bfcf39969b1e9a2
parent 126346 61b8a5101c5b443564ad9cf3a85f6a128df3fd31
child 126369 5dbcbd03d7ba81c4fb364e23a30b0c2f9805da8e
push id25437
push userlongsonr@gmail.com
push dateWed, 27 Mar 2013 10:19:10 +0000
treeherdermozilla-inbound@362d0632ed67 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersheycam
bugs842630
milestone22.0a1
first release with
nightly linux32
962f5293f87f / 22.0a1 / 20130328031013 / files
nightly linux64
962f5293f87f / 22.0a1 / 20130328031013 / files
nightly mac
962f5293f87f / 22.0a1 / 20130328031013 / files
nightly win32
962f5293f87f / 22.0a1 / 20130328031013 / files
nightly win64
962f5293f87f / 22.0a1 / 20130328031013 / files
last release without
nightly linux32
456cb08f8509 / 22.0a1 / 20130326030941 / files
nightly linux64
456cb08f8509 / 22.0a1 / 20130326030941 / files
nightly mac
456cb08f8509 / 22.0a1 / 20130326030941 / files
nightly win32
456cb08f8509 / 22.0a1 / 20130326030941 / files
nightly win64
456cb08f8509 / 22.0a1 / 20130326030941 / files
Bug 842630 - Fix out of bounds in nsSVGTextFrame2::ResolvePositions. r=heycam
layout/svg/crashtests/842630-1.svg file | annotate | diff | comparison | revisions
layout/svg/crashtests/crashtests.list file | annotate | diff | comparison | revisions
layout/svg/nsSVGTextFrame2.cpp file | annotate | diff | comparison | revisions 
new file mode 100644
--- /dev/null
+++ b/layout/svg/crashtests/842630-1.svg
@@ -0,0 +1,1 @@
+<svg xmlns="http://www.w3.org/2000/svg"><text dy="20 20">A<tspan style="display: none;">B</tspan></text></svg>
--- a/layout/svg/crashtests/crashtests.list
+++ b/layout/svg/crashtests/crashtests.list
@@ -149,13 +149,14 @@ load 788831-1.svg
 load 790072.svg
 load 791826-1.svg
 load 789390-1.html
 load 808318-1.svg
 load 813420-1.svg
 load 841163-1.svg
 load 841812-1.svg
 load 842009-1.svg
+load 842630-1.svg
 load 842909-1.svg
 load 843072-1.svg
 load 847139-1.svg
 load 849688-1.svg
 load 849688-2.svg
--- a/layout/svg/nsSVGTextFrame2.cpp
+++ b/layout/svg/nsSVGTextFrame2.cpp
@@ -4074,27 +4074,27 @@ nsSVGTextFrame2::ResolvePositions(nsTArr
 
   // We assume the first character position is (0,0) unless we later see
   // otherwise, and note it as unaddressable if it is.
   bool firstCharUnaddressable = it.IsOriginalCharUnaddressable();
   mPositions.AppendElement(CharPosition::Unspecified(firstCharUnaddressable));
 
   // Fill in unspecified positions for all remaining characters, noting
   // them as unaddressable if they are.
-  uint32_t index = it.TextElementCharIndex();
-  for (uint32_t i = 0; i < index; i++) {
-    mPositions.AppendElement(CharPosition::Unspecified(false));
-  }
+  uint32_t index = 0;
   while (it.Next()) {
     while (++index < it.TextElementCharIndex()) {
       mPositions.AppendElement(CharPosition::Unspecified(false));
     }
     mPositions.AppendElement(CharPosition::Unspecified(
                                              it.IsOriginalCharUnaddressable()));
   }
+  while (++index < it.TextElementCharIndex()) {
+    mPositions.AppendElement(CharPosition::Unspecified(false));
+  }
 
   // Recurse over the content and fill in character positions as we go.
   bool forceStartOfChunk = false;
   return ResolvePositions(mContent, 0, false, forceStartOfChunk, aDeltas) != 0;
 }
 
 void
 nsSVGTextFrame2::DetermineCharPositions(nsTArray<nsPoint>& aPositions)
mozilla-inbound
Deployed from 18d8b634a3eb at 2022-06-27T19:41:42Z.