Bug 1504918. Prevent TextNodeCorrespondenceRecorder::TraverseAndRecord crash. r=heycam
authorJonathan Watt <jwatt@jwatt.org>
Tue, 13 Nov 2018 16:49:21 +0000
changeset 504841 923646987d58dec3faabc9105114e2b1888a611f
parent 504840 fd18c9b951806db012985c9daf81a07aaa0bfe12
child 504842 74b45418136b33af8ca2b945b0a9b8087edea496
push id10290
push userffxbld-merge
push dateMon, 03 Dec 2018 16:23:23 +0000
treeherdermozilla-beta@700bed2445e6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersheycam
bugs1504918
milestone65.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1504918. Prevent TextNodeCorrespondenceRecorder::TraverseAndRecord crash. r=heycam Differential Revision: https://phabricator.services.mozilla.com/D11107
layout/svg/SVGTextFrame.cpp
layout/svg/crashtests/1504918.svg
layout/svg/crashtests/crashtests.list
--- a/layout/svg/SVGTextFrame.cpp
+++ b/layout/svg/SVGTextFrame.cpp
@@ -1508,17 +1508,18 @@ TextNodeCorrespondenceRecorder::Traverse
                    "incorrect tracking of undisplayed characters in "
                    "text nodes");
       // Any trailing characters at the end of the previous nsTextNode are
       // undisplayed.
       undisplayed = mPreviousNode->TextLength() - mNodeCharIndex;
     }
     // Each whole nsTextNode we find before we get to the text node for
     // the current text frame must be undisplayed.
-    while (mNodeIterator.Current() != node) {
+    while (mNodeIterator.Current() &&
+           mNodeIterator.Current() != node) {
       undisplayed += mNodeIterator.Current()->TextLength();
       NextNode();
     }
     // If the current text frame starts at a non-zero content offset, then those
     // earlier characters are also undisplayed.
     undisplayed += frame->GetContentOffset();
     NextNode();
   }
new file mode 100644
--- /dev/null
+++ b/layout/svg/crashtests/1504918.svg
@@ -0,0 +1,4 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+  <style>textPath { display: contents; }</style>
+  <text>x<textPath><textPath><tspan>y</tspan></textPath></textPath></text>
+</svg>
\ No newline at end of file
--- a/layout/svg/crashtests/crashtests.list
+++ b/layout/svg/crashtests/crashtests.list
@@ -213,8 +213,9 @@ load 1474982.html
 load conditional-outer-svg-nondirty-reflow-assert.xhtml
 load extref-test-1.xhtml
 load blob-merging-and-retained-display-list.html
 load empty-blob-merging.html
 load grouping-empty-bounds.html
 load 1480275.html
 load 1480224.html
 load 1502936.html
+load 1504918.svg