bug 490777 - don't hang/crash on unpaired low surrogate codepoint in RTL text, r=roc
authorJonathan Kew <jfkthame@gmail.com>
Fri, 08 May 2009 14:16:44 +1200
changeset 28111 24793a90135db0a0f492f4a6692219b9c387fe40
parent 28110 f053a233cc7bbbd6ce0285e2e35106cb0fc3d1e1
child 28112 4aa17bf8dcdae7a64ae4256cffdf9e87558a8cc6
push id6896
push userrocallahan@mozilla.com
push dateFri, 08 May 2009 03:22:56 +0000
treeherdermozilla-central@c97e93f23f89 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersroc
bugs490777
milestone1.9.2a1pre
bug 490777 - don't hang/crash on unpaired low surrogate codepoint in RTL text, r=roc
gfx/thebes/crashtests/490777-1.html
gfx/thebes/crashtests/crashtests.list
gfx/thebes/src/gfxAtsuiFonts.cpp
new file mode 100644
--- /dev/null
+++ b/gfx/thebes/crashtests/490777-1.html
@@ -0,0 +1,9 @@
+<!-- This crashed on Mac OS X with the modified ATSUI font backend implemented in
+     bug 481948. Crash occurs due to an unpaired low surrogate in text with the
+     right-to-left direction override; this cannot occur in direct HTML content
+     because the unpaired surrogate will be replaced with U+FFFD, but it can be
+     generated from Javascript. -->
+<html>
+<body onload="document.body.appendChild(document.createTextNode('\u202E\u4839\uDC1D'));">
+</body>
+</html>
--- a/gfx/thebes/crashtests/crashtests.list
+++ b/gfx/thebes/crashtests/crashtests.list
@@ -49,8 +49,9 @@ load 421393-1.html
 load 421813-1.html
 load 423270-1.html
 load 429899-1.html
 load 463307-1.html
 load 467873-1.html
 load 470418-1.html
 skip-if(MOZ_WIDGET_TOOLKIT=="gtk2") load 441360.html # filed bug 455463 for gtk2
 load 487549-1.html
+load 490777-1.html
--- a/gfx/thebes/src/gfxAtsuiFonts.cpp
+++ b/gfx/thebes/src/gfxAtsuiFonts.cpp
@@ -1070,18 +1070,20 @@ PostLayoutCallback(ATSULineRef aLine, gf
             // but in unusual cases where the character/glyph association is complex,
             // the initial character range might correspond to a non-contiguous
             // glyph range with "holes" in it. If so, we will repeat this loop to
             // extend the character range until we have a contiguous glyph sequence.
             charEnd += direction;
             while (charEnd != charLimit && charToGlyph[charEnd] == NO_GLYPH) {
                 charEnd += direction;
             }
-            // in RTL, back up if we ended at a low surrogate (belongs with the next clump)
-            if (!isLTR && NS_IS_LOW_SURROGATE(aString[charEnd+1])) {
+            // in RTL, back up if we ended at a "deleted" low surrogate
+            // (belongs with the next clump)
+            if (!isLTR && charToGlyph[charEnd+1] == NO_GLYPH &&
+                NS_IS_LOW_SURROGATE(aString[charEnd+1])) {
                 charEnd += 1;
             }
 
             // find the maximum glyph index covered by the clump so far
             for (PRInt32 i = charStart; i != charEnd; i += direction) {
                 if (charToGlyph[i] != NO_GLYPH) {
                     glyphEnd = PR_MAX(glyphEnd, charToGlyph[i] + 1); // update extent of glyph range
                 }