RESOLVED FIXED 16996
Crash in createFontCustomPlatformData when loading 0-byte font via @font-face 
https://bugs.webkit.org/show_bug.cgi?id=16996
Summary Crash in createFontCustomPlatformData when loading 0-byte font via @font-face
Adam Roben (:aroben)
Reported 2008-01-24 14:54:16 PST
Loading a page with an @font-face rule like so: @font-face { font-family: EmptyFont; src: url(data:application/x-truetype-font,) format(truetype); } causes the following crash (the SharedBuffer is null): WebKit_debug.dll!WTF::Vector<char,0>::size() Line 422 + 0x11 bytes C++ WebKit_debug.dll!WebCore::SharedBuffer::size() Line 51 C++ > WebKit_debug.dll!WebCore::createFontCustomPlatformData(WebCore::SharedBuffer * buffer=0x00000000) Line 67 + 0xe bytes C++ WebKit_debug.dll!WebCore::CachedFont::ensureCustomFontData() Line 88 + 0x14 bytes C++ WebKit_debug.dll!WebCore::CSSFontFaceSource::getFontData(const WebCore::FontDescription & fontDescription={...}, bool syntheticBold=false, bool syntheticItalic=false, WebCore::CSSFontSelector * fontSelector=0x04ba47d0) Line 126 + 0xb bytes C++ WebKit_debug.dll!WebCore::CSSFontFace::getFontData(const WebCore::FontDescription & fontDescription={...}, bool syntheticBold=false, bool syntheticItalic=false) Line 84 + 0x2e bytes C++ WebKit_debug.dll!WebCore::CSSSegmentedFontFace::getFontData(const WebCore::FontDescription & fontDescription={...}, bool syntheticBold=false, bool syntheticItalic=false) Line 125 + 0x34 bytes C++ WebKit_debug.dll!WebCore::CSSFontSelector::getFontData(const WebCore::FontDescription & fontDescription={...}, const WebCore::AtomicString & familyName={...}) Line 359 + 0x1b bytes C++ WebKit_debug.dll!WebCore::FontCache::getFontData(const WebCore::Font & font={...}, int & familyIndex=1, WebCore::FontSelector * fontSelector=0x04ba47d0) Line 237 + 0x21 bytes C++ WebKit_debug.dll!WebCore::FontFallbackList::fontDataAt(const WebCore::Font * font=0x04ab0c88, unsigned int realizedFontIndex=0) Line 85 + 0x1c bytes C++ WebKit_debug.dll!WebCore::FontFallbackList::primaryFont(const WebCore::Font * f=0x04ab0c88) Line 56 + 0x1c bytes C++ WebKit_debug.dll!WebCore::FontFallbackList::determinePitch(const WebCore::Font * font=0x04ab0c88) Line 57 + 0xc bytes C++ WebKit_debug.dll!WebCore::FontFallbackList::isFixedPitch(const WebCore::Font * f=0x04ab0c88) Line 48 + 0x23 bytes C++ WebKit_debug.dll!WebCore::Font::isFixedPitch() Line 542 C++ WebKit_debug.dll!WebCore::RenderText::widthFromCache(const WebCore::Font & f={...}, int start=0, int len=12, int xPos=0) Line 408 + 0x8 bytes C++ WebKit_debug.dll!WebCore::RenderText::width(unsigned int from=0, unsigned int len=12, const WebCore::Font & f={...}, int xPos=0) Line 1042 + 0x18 bytes C++ WebKit_debug.dll!WebCore::RenderBlock::findNextLineBreak(WebCore::BidiIterator & start={...}, WebCore::BidiResolver<WebCore::BidiIterator,WebCore::BidiRun> & bidi={...}) Line 1647 + 0x37 bytes C++ WebKit_debug.dll!WebCore::RenderBlock::layoutInlineChildren(bool relayoutChildren=false, int & repaintTop=0, int & repaintBottom=0) Line 969 + 0x1a bytes C++ WebKit_debug.dll!WebCore::RenderBlock::layoutBlock(bool relayoutChildren=false) Line 583 C++ WebKit_debug.dll!WebCore::RenderBlock::layout() Line 492 + 0x14 bytes C++ WebKit_debug.dll!WebCore::RenderObject::layoutIfNeeded() Line 489 + 0x30 bytes C++ WebKit_debug.dll!WebCore::RenderBlock::layoutBlockChildren(bool relayoutChildren=false, int & maxFloatBottom=0) Line 1232 C++ WebKit_debug.dll!WebCore::RenderBlock::layoutBlock(bool relayoutChildren=false) Line 587 C++ WebKit_debug.dll!WebCore::RenderBlock::layout() Line 492 + 0x14 bytes C++ WebKit_debug.dll!WebCore::RenderObject::layoutIfNeeded() Line 489 + 0x30 bytes C++ WebKit_debug.dll!WebCore::RenderBlock::layoutBlockChildren(bool relayoutChildren=false, int & maxFloatBottom=0) Line 1232 C++ WebKit_debug.dll!WebCore::RenderBlock::layoutBlock(bool relayoutChildren=false) Line 587 C++ WebKit_debug.dll!WebCore::RenderBlock::layout() Line 492 + 0x14 bytes C++ WebKit_debug.dll!WebCore::RenderObject::layoutIfNeeded() Line 489 + 0x30 bytes C++ WebKit_debug.dll!WebCore::RenderBlock::layoutBlockChildren(bool relayoutChildren=false, int & maxFloatBottom=0) Line 1232 C++ WebKit_debug.dll!WebCore::RenderBlock::layoutBlock(bool relayoutChildren=false) Line 587 C++ WebKit_debug.dll!WebCore::RenderBlock::layout() Line 492 + 0x14 bytes C++ WebKit_debug.dll!WebCore::RenderView::layout() Line 114 C++ WebKit_debug.dll!WebCore::FrameView::layout(bool allowSubtree=true) Line 465 + 0x12 bytes C++ WebKit_debug.dll!WebCore::Document::updateLayout() Line 1152 C++ WebKit_debug.dll!WebCore::RenderLayer::hitTest(const WebCore::HitTestRequest & request={...}, WebCore::HitTestResult & result={...}) Line 1639 C++ WebKit_debug.dll!WebCore::Document::prepareMouseEvent(const WebCore::HitTestRequest & request={...}, const WebCore::IntPoint & documentPoint={...}, const WebCore::PlatformMouseEvent & event={...}) Line 1848 C++ WebKit_debug.dll!WebCore::EventHandler::prepareMouseEvent(const WebCore::HitTestRequest & request={...}, const WebCore::PlatformMouseEvent & mev={...}) Line 1229 + 0x21 bytes C++ WebKit_debug.dll!WebCore::EventHandler::handleMouseMoveEvent(const WebCore::PlatformMouseEvent & mouseEvent={...}, WebCore::HitTestResult * hoveredNode=0x0012f664) Line 998 C++ WebKit_debug.dll!WebCore::EventHandler::mouseMoved(const WebCore::PlatformMouseEvent & event={...}) Line 950 + 0x10 bytes C++ WebKit_debug.dll!WebView::handleMouseEvent(unsigned int message=512, unsigned int wParam=0, long lParam=4849836) Line 1217 + 0x1d bytes C++ WebKit_debug.dll!WebViewWndProc(HWND__ * hWnd=0x00070406, unsigned int message=512, unsigned int wParam=0, long lParam=4849836) Line 1635 + 0x14 bytes C++
Attachments
testcase (will crash when loaded) (282 bytes, text/html)
2008-01-24 14:54 PST, Adam Roben (:aroben) 		no flags
Details
patch with test and changelog (4.81 KB, patch)
2008-01-24 15:10 PST, Adam Roben (:aroben) 		hyatt: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Adam Roben (:aroben)
Comment 1 2008-01-24 14:54:51 PST
Created attachment 18646 [details] testcase (will crash when loaded)
Adam Roben (:aroben)
Comment 2 2008-01-24 15:04:13 PST
I have a patch for this.
Adam Roben (:aroben)
Comment 3 2008-01-24 15:10:11 PST
Created attachment 18647 [details] patch with test and changelog
Dave Hyatt
Comment 4 2008-01-24 15:11:43 PST
Comment on attachment 18647 [details] patch with test and changelog r=me
Adam Roben (:aroben)
Comment 5 2008-01-24 15:14:46 PST
Committed as r29780.
Note You need to log in before you can comment on or make changes to this bug.