22321 2008-11-17 12:48:11 -0800 SVGFonts and SVGRootInlineBox broken for RTL text (fonts-glyph-02-t.svg causes an ASSERT) 2008-11-18 04:43:09 -0800 1 1 1 Unclassified WebKit SVG 528+ (Nightly build) PC OS X 10.5 RESOLVED DUPLICATE 18830 P2 Normal --- 1 zecke webkit-unassigned oldest_to_newest 99085 0 zecke 2008-11-17 12:48:11 -0800 Revision r31310 introduced extraCharsAvailable to be able to do ligatures, etc. There is a slight bug that leads to create a String from UChar* which reads beyond the bounds. SVGTextRunWalker::walk ASSERT(to + from == run.length()); ^^^^ const int endOfScanRange = to + m_walkerData.extraCharsAvailable; for (int i = from; i < to; ++i) { characterLookupRange = endOfScanRange - i; String lookupString(run.data(i), characterLookupRange); ^^^^ <- out of bounds now SVGRootInlineBox::buildLayoutInformationForTextBox int extraCharsAvailable = length - i - 1; if (textBox->direction() == RTL) { glyphWidth = svgTextBox->calculateGlyphWidth(style, textBox->end() - i, extraCharsAvailable, charsConsumed, glyphName); glyphHeight = svgTextBox->calculateGlyphHeight(style, textBox->end() - i, extraCharsAvailable); unicodeStr = String(textBox->textObject()->text()->characters() + textBox->end() - i, charsConsumed); extraCharsAvailable is wrong, or at least wrong in the future. In SVGFont it gets treated as how many chars are available to the right.. but in the first iteration in the above loop: i = 0 textBox->end() == length-1; but we travel the text from right to left. This means in the first loop there is not extra char available?! in the next one...? Also SVGInlineTextBox::calculateGlyphWidth looks really weird: A Text run with size one is created but we pass the extraCharsAvailable... this will work for LTR text but with RTL text (as in the above test case) we will read out of the bounds of the string. 99086 1 ap 2008-11-17 12:52:12 -0800 Per svn log, this is tracked as bug 18830. *** This bug has been marked as a duplicate of 18830 *** 99088 2 25223 zecke 2008-11-17 12:56:09 -0800 Created attachment 25223 Fix the symptopms.... Setting the review flag out of selfish motives to make sure people see that bug and poke me into the right direction. 99147 3 ap 2008-11-18 03:52:32 -0800 This bug is showing up in review queue, can the review flag be cleared now? 99149 4 25223 zecke 2008-11-18 04:43:09 -0800 Comment on attachment 25223 Fix the symptopms.... Clearing review flag... it is a duplicate and mitz knows the issue for quite some time. 25223 2008-11-17 12:56:09 -0800 2008-11-18 04:43:09 -0800 Fix the symptopms.... fix-symptoms.diff text/plain 677 zecke ZGlmZiAtLWdpdCBhL1dlYkNvcmUvc3ZnL1NWR0ZvbnQuY3BwIGIvV2ViQ29yZS9zdmcvU1ZHRm9u dC5jcHAKaW5kZXggMTRhZDVlYS4uODhjY2Q0NiAxMDA2NDQKLS0tIGEvV2ViQ29yZS9zdmcvU1ZH Rm9udC5jcHAKKysrIGIvV2ViQ29yZS9zdmcvU1ZHRm9udC5jcHAKQEAgLTI3MCw3ICsyNzAsNyBA QCBzdHJ1Y3QgU1ZHVGV4dFJ1bldhbGtlciB7CiAgICAgICAgICAgICAvLyBleHRlbmRlZCB0byB0 aGUgbi10aCBuZXh0IGNoYXJhY3RlciAod2hlcmUgbiBpcyAnY2hhcmFjdGVyTG9va3VwUmFuZ2Un KSwgdG8gY2hlY2sgZm9yIGFueSBwb3NzaWJsZSBsaWdhdHVyZS4KICAgICAgICAgICAgIGNoYXJh Y3Rlckxvb2t1cFJhbmdlID0gZW5kT2ZTY2FuUmFuZ2UgLSBpOwogCi0gICAgICAgICAgICBTdHJp bmcgbG9va3VwU3RyaW5nKHJ1bi5kYXRhKGkpLCBjaGFyYWN0ZXJMb29rdXBSYW5nZSk7CisgICAg ICAgICAgICBTdHJpbmcgbG9va3VwU3RyaW5nKHJ1bi5kYXRhKGkpLCBzdGQ6Om1pbihjaGFyYWN0 ZXJMb29rdXBSYW5nZSwgcnVuLmxlbmd0aCgpLWkpKTsKICAgICAgICAgICAgIFZlY3RvcjxTVkdH bHlwaElkZW50aWZpZXI+IGdseXBoczsKICAgICAgICAgICAgIGlmIChoYXZlQWx0R2x5cGgpCiAg ICAgICAgICAgICAgICAgZ2x5cGhzLmFwcGVuZChhbHRHbHlwaElkZW50aWZpZXIpOwo=