Bug 843072 - Crash with getExtentOfChar(0) if there is no text. r=dholbert
authorRobert Longson <longsonr@gmail.com>
Sat, 02 Mar 2013 13:28:04 +0000
changeset 123565 7d93ba84ce2f3718173b98978ee5876bd1650e6f
parent 123564 ac4c5ef2e0645cbe37981931ac78ae1d21bbfd26
child 123566 1cd1a9fdf8fba4c777b4cb044cad1641c0186010
push id24385
push usergszorc@mozilla.com
push dateSat, 02 Mar 2013 21:28:09 +0000
treeherdermozilla-central@0f0745beec38 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdholbert
bugs843072
milestone22.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 843072 - Crash with getExtentOfChar(0) if there is no text. r=dholbert
layout/svg/crashtests/843072-1.svg
layout/svg/crashtests/crashtests.list
layout/svg/nsSVGTextFrame2.cpp
new file mode 100644
--- /dev/null
+++ b/layout/svg/crashtests/843072-1.svg
@@ -0,0 +1,11 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+  <defs>
+    <text id="t"></text>
+  </defs>
+
+  <script>
+    window.addEventListener("load", function() {
+      document.getElementById("t").getExtentOfChar(0);
+    }, false);
+  </script>
+</svg>
--- a/layout/svg/crashtests/crashtests.list
+++ b/layout/svg/crashtests/crashtests.list
@@ -149,8 +149,9 @@ load 788831-1.svg
 load 790072.svg
 load 791826-1.svg
 load 789390-1.html
 load 808318-1.svg
 load 813420-1.svg
 load 841163-1.svg
 load 841812-1.svg
 load 842009-1.svg
+load 843072-1.svg
--- a/layout/svg/nsSVGTextFrame2.cpp
+++ b/layout/svg/nsSVGTextFrame2.cpp
@@ -3650,17 +3650,18 @@ nsSVGTextFrame2::GetSubStringLength(nsIC
     return 0.0f;
   }
 
   // Convert charnum/nchars from addressable characters relative to
   // aContent to global character indices.
   CharIterator chit(this, CharIterator::eAddressable, aContent);
   if (!chit.AdvanceToSubtree() ||
       !chit.Next(charnum) ||
-      chit.IsAfterSubtree()) {
+      chit.IsAfterSubtree() ||
+      chit.AtEnd()) {
     return 0.0f;
   }
   charnum = chit.TextElementCharIndex();
   chit.NextWithinSubtree(nchars);
   nchars = chit.TextElementCharIndex() - charnum;
 
   // Find each rendered run that intersects with the range defined
   // by charnum/nchars.
@@ -3749,17 +3750,18 @@ nsresult
 nsSVGTextFrame2::GetStartPositionOfChar(nsIContent* aContent,
                                         uint32_t aCharNum,
                                         mozilla::nsISVGPoint** aResult)
 {
   UpdateGlyphPositioning(false);
 
   CharIterator it(this, CharIterator::eAddressable, aContent);
   if (!it.AdvanceToSubtree() ||
-      !it.Next(aCharNum)) {
+      !it.Next(aCharNum) ||
+      it.AtEnd()) {
     return NS_ERROR_DOM_INDEX_SIZE_ERR;
   }
 
   // We need to return the start position of the whole glyph.
   uint32_t startIndex = it.GlyphStartTextElementCharIndex();
 
   NS_ADDREF(*aResult = new DOMSVGPoint(mPositions[startIndex].mPosition));
   return NS_OK;
@@ -3773,17 +3775,18 @@ nsresult
 nsSVGTextFrame2::GetEndPositionOfChar(nsIContent* aContent,
                                       uint32_t aCharNum,
                                       mozilla::nsISVGPoint** aResult)
 {
   UpdateGlyphPositioning(false);
 
   CharIterator it(this, CharIterator::eAddressable, aContent);
   if (!it.AdvanceToSubtree() ||
-      !it.Next(aCharNum)) {
+      !it.Next(aCharNum) ||
+      it.AtEnd()) {
     return NS_ERROR_DOM_INDEX_SIZE_ERR;
   }
 
   // We need to return the end position of the whole glyph.
   uint32_t startIndex = it.GlyphStartTextElementCharIndex();
 
   // Get the advance of the glyph.
   gfxFloat advance = it.GetGlyphAdvance(PresContext());
@@ -3810,17 +3813,18 @@ nsresult
 nsSVGTextFrame2::GetExtentOfChar(nsIContent* aContent,
                                  uint32_t aCharNum,
                                  nsIDOMSVGRect** aResult)
 {
   UpdateGlyphPositioning(false);
 
   CharIterator it(this, CharIterator::eAddressable, aContent);
   if (!it.AdvanceToSubtree() ||
-      !it.Next(aCharNum)) {
+      !it.Next(aCharNum) ||
+      it.AtEnd()) {
     return NS_ERROR_DOM_INDEX_SIZE_ERR;
   }
 
   nsPresContext* presContext = PresContext();
 
   float cssPxPerDevPx = presContext->
     AppUnitsToFloatCSSPixels(presContext->AppUnitsPerDevPixel());
 
@@ -3861,17 +3865,18 @@ nsresult
 nsSVGTextFrame2::GetRotationOfChar(nsIContent* aContent,
                                    uint32_t aCharNum,
                                    float* aResult)
 {
   UpdateGlyphPositioning(false);
 
   CharIterator it(this, CharIterator::eAddressable, aContent);
   if (!it.AdvanceToSubtree() ||
-      !it.Next(aCharNum)) {
+      !it.Next(aCharNum) ||
+      it.AtEnd()) {
     return NS_ERROR_DOM_INDEX_SIZE_ERR;
   }
 
   *aResult = mPositions[it.TextElementCharIndex()].mAngle * 180.0 / M_PI;
   return NS_OK;
 }
 
 //----------------------------------------------------------------------