Bug 1665668 [wpt PR 25601] - Prevent break opportunity offset to surpass the item's range_end, a=testonly

Automatic update from web-platform-tests
Prevent break opportunity offset to surpass the item's range_end

When exploring breaking opportunities we were early return, and shaping
to the end, when we detected that current candidate overflow and next
breaking opportunity surpass the item's range end.

However, since we landed in r807457 the new TextBreakIterator's
behavior of  breaking always after the space run, we can get some
opportunities that surpass the item's range_end even if the candidate
doesn't overflow. An example of this could be when trailing spaces are
located in different items.

This patch ensures that even when the candidate doesn't overflow, we
never consider breaking opportunity offsets that surpass the item's
range end; since we are not overflowing, we'll proceed with the shaping
logic considering range_end as maximum of the breaking opportunity
offset.

Bug: 1128571
Change-Id: I704eb8091cdca00713fed15e22749bb633bacc71
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2414196
Commit-Queue: Javier Fernandez <jfernandez@igalia.com>
Reviewed-by: Koji Ishii <kojii@chromium.org>
Cr-Commit-Position: refs/heads/master@{#808007}

--

wpt-commits: 0293b6f415e8d8a869462bbf3f3f5bdeb3f268db
wpt-pr: 25601

testing/web-platform/tests/css/css-text/altering-dom-crash.html

@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<title>CSS Text Test: Altering the DOM generates empty text elements that cause line-breaking to crash</title>
+<link rel="help" href="https://crbug.com/972992">
+<style>
+    body {
+        width: 5pt;
+        hyphens: none;
+    }
+</style>
+<body onload=jsfuzzer()>
+    <table id="table1">x</table>
+    <content contenteditable="plaintext-only">
+</body>
+<script>
+    function jsfuzzer() {
+        document.all[0].appendChild(table1);
+    }
+</script>