From dfd58002231f09966dd89eb0eebab142dfa64552 Mon Sep 17 00:00:00 2001 From: Robert Longson Date: Wed, 27 Mar 2013 10:19:02 +0000 Subject: [PATCH] Bug 842630 - Fix out of bounds in nsSVGTextFrame2::ResolvePositions. r=heycam --- layout/svg/crashtests/842630-1.svg | 1 + layout/svg/crashtests/crashtests.list | 1 + layout/svg/nsSVGTextFrame2.cpp | 8 ++++---- 3 files changed, 6 insertions(+), 4 deletions(-) create mode 100644 layout/svg/crashtests/842630-1.svg diff --git a/layout/svg/crashtests/842630-1.svg b/layout/svg/crashtests/842630-1.svg new file mode 100644 index 000000000000..8d36998be677 --- /dev/null +++ b/layout/svg/crashtests/842630-1.svg @@ -0,0 +1 @@ +AB diff --git a/layout/svg/crashtests/crashtests.list b/layout/svg/crashtests/crashtests.list index f5e25502aa74..a894c7fb5ecd 100644 --- a/layout/svg/crashtests/crashtests.list +++ b/layout/svg/crashtests/crashtests.list @@ -154,6 +154,7 @@ load 813420-1.svg load 841163-1.svg load 841812-1.svg load 842009-1.svg +load 842630-1.svg load 842909-1.svg load 843072-1.svg load 847139-1.svg diff --git a/layout/svg/nsSVGTextFrame2.cpp b/layout/svg/nsSVGTextFrame2.cpp index 01de90562e20..5c981c833809 100644 --- a/layout/svg/nsSVGTextFrame2.cpp +++ b/layout/svg/nsSVGTextFrame2.cpp @@ -4079,10 +4079,7 @@ nsSVGTextFrame2::ResolvePositions(nsTArray& aDeltas) // Fill in unspecified positions for all remaining characters, noting // them as unaddressable if they are. - uint32_t index = it.TextElementCharIndex(); - for (uint32_t i = 0; i < index; i++) { - mPositions.AppendElement(CharPosition::Unspecified(false)); - } + uint32_t index = 0; while (it.Next()) { while (++index < it.TextElementCharIndex()) { mPositions.AppendElement(CharPosition::Unspecified(false)); @@ -4090,6 +4087,9 @@ nsSVGTextFrame2::ResolvePositions(nsTArray& aDeltas) mPositions.AppendElement(CharPosition::Unspecified( it.IsOriginalCharUnaddressable())); } + while (++index < it.TextElementCharIndex()) { + mPositions.AppendElement(CharPosition::Unspecified(false)); + } // Recurse over the content and fill in character positions as we go. bool forceStartOfChunk = false;