Bug 16996 - Crash in createFontCustomPlatformData when loading 0-byte font via @font-face
Summary: Crash in createFontCustomPlatformData when loading 0-byte font via @font-face
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Page Loading (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Major
Assignee: Adam Roben (:aroben)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-01-24 14:54 PST by Adam Roben (:aroben)
Modified: 2008-01-24 15:14 PST (History)
3 users (show)

See Also:


Attachments
testcase (will crash when loaded) (282 bytes, text/html)
2008-01-24 14:54 PST, Adam Roben (:aroben)
no flags Details
patch with test and changelog (4.81 KB, patch)
2008-01-24 15:10 PST, Adam Roben (:aroben)
hyatt: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Adam Roben (:aroben) 2008-01-24 14:54:16 PST
Loading a page with an @font-face rule like so:

@font-face {
   font-family: EmptyFont;
   src: url(data:application/x-truetype-font,) format(truetype);
}

causes the following crash (the SharedBuffer is null):

 	WebKit_debug.dll!WTF::Vector<char,0>::size()  Line 422 + 0x11 bytes	C++
 	WebKit_debug.dll!WebCore::SharedBuffer::size()  Line 51	C++
>	WebKit_debug.dll!WebCore::createFontCustomPlatformData(WebCore::SharedBuffer * buffer=0x00000000)  Line 67 + 0xe bytes	C++
 	WebKit_debug.dll!WebCore::CachedFont::ensureCustomFontData()  Line 88 + 0x14 bytes	C++
 	WebKit_debug.dll!WebCore::CSSFontFaceSource::getFontData(const WebCore::FontDescription & fontDescription={...}, bool syntheticBold=false, bool syntheticItalic=false, WebCore::CSSFontSelector * fontSelector=0x04ba47d0)  Line 126 + 0xb bytes	C++
 	WebKit_debug.dll!WebCore::CSSFontFace::getFontData(const WebCore::FontDescription & fontDescription={...}, bool syntheticBold=false, bool syntheticItalic=false)  Line 84 + 0x2e bytes	C++
 	WebKit_debug.dll!WebCore::CSSSegmentedFontFace::getFontData(const WebCore::FontDescription & fontDescription={...}, bool syntheticBold=false, bool syntheticItalic=false)  Line 125 + 0x34 bytes	C++
 	WebKit_debug.dll!WebCore::CSSFontSelector::getFontData(const WebCore::FontDescription & fontDescription={...}, const WebCore::AtomicString & familyName={...})  Line 359 + 0x1b bytes	C++
 	WebKit_debug.dll!WebCore::FontCache::getFontData(const WebCore::Font & font={...}, int & familyIndex=1, WebCore::FontSelector * fontSelector=0x04ba47d0)  Line 237 + 0x21 bytes	C++
 	WebKit_debug.dll!WebCore::FontFallbackList::fontDataAt(const WebCore::Font * font=0x04ab0c88, unsigned int realizedFontIndex=0)  Line 85 + 0x1c bytes	C++
 	WebKit_debug.dll!WebCore::FontFallbackList::primaryFont(const WebCore::Font * f=0x04ab0c88)  Line 56 + 0x1c bytes	C++
 	WebKit_debug.dll!WebCore::FontFallbackList::determinePitch(const WebCore::Font * font=0x04ab0c88)  Line 57 + 0xc bytes	C++
 	WebKit_debug.dll!WebCore::FontFallbackList::isFixedPitch(const WebCore::Font * f=0x04ab0c88)  Line 48 + 0x23 bytes	C++
 	WebKit_debug.dll!WebCore::Font::isFixedPitch()  Line 542	C++
 	WebKit_debug.dll!WebCore::RenderText::widthFromCache(const WebCore::Font & f={...}, int start=0, int len=12, int xPos=0)  Line 408 + 0x8 bytes	C++
 	WebKit_debug.dll!WebCore::RenderText::width(unsigned int from=0, unsigned int len=12, const WebCore::Font & f={...}, int xPos=0)  Line 1042 + 0x18 bytes	C++
 	WebKit_debug.dll!WebCore::RenderBlock::findNextLineBreak(WebCore::BidiIterator & start={...}, WebCore::BidiResolver<WebCore::BidiIterator,WebCore::BidiRun> & bidi={...})  Line 1647 + 0x37 bytes	C++
 	WebKit_debug.dll!WebCore::RenderBlock::layoutInlineChildren(bool relayoutChildren=false, int & repaintTop=0, int & repaintBottom=0)  Line 969 + 0x1a bytes	C++
 	WebKit_debug.dll!WebCore::RenderBlock::layoutBlock(bool relayoutChildren=false)  Line 583	C++
 	WebKit_debug.dll!WebCore::RenderBlock::layout()  Line 492 + 0x14 bytes	C++
 	WebKit_debug.dll!WebCore::RenderObject::layoutIfNeeded()  Line 489 + 0x30 bytes	C++
 	WebKit_debug.dll!WebCore::RenderBlock::layoutBlockChildren(bool relayoutChildren=false, int & maxFloatBottom=0)  Line 1232	C++
 	WebKit_debug.dll!WebCore::RenderBlock::layoutBlock(bool relayoutChildren=false)  Line 587	C++
 	WebKit_debug.dll!WebCore::RenderBlock::layout()  Line 492 + 0x14 bytes	C++
 	WebKit_debug.dll!WebCore::RenderObject::layoutIfNeeded()  Line 489 + 0x30 bytes	C++
 	WebKit_debug.dll!WebCore::RenderBlock::layoutBlockChildren(bool relayoutChildren=false, int & maxFloatBottom=0)  Line 1232	C++
 	WebKit_debug.dll!WebCore::RenderBlock::layoutBlock(bool relayoutChildren=false)  Line 587	C++
 	WebKit_debug.dll!WebCore::RenderBlock::layout()  Line 492 + 0x14 bytes	C++
 	WebKit_debug.dll!WebCore::RenderObject::layoutIfNeeded()  Line 489 + 0x30 bytes	C++
 	WebKit_debug.dll!WebCore::RenderBlock::layoutBlockChildren(bool relayoutChildren=false, int & maxFloatBottom=0)  Line 1232	C++
 	WebKit_debug.dll!WebCore::RenderBlock::layoutBlock(bool relayoutChildren=false)  Line 587	C++
 	WebKit_debug.dll!WebCore::RenderBlock::layout()  Line 492 + 0x14 bytes	C++
 	WebKit_debug.dll!WebCore::RenderView::layout()  Line 114	C++
 	WebKit_debug.dll!WebCore::FrameView::layout(bool allowSubtree=true)  Line 465 + 0x12 bytes	C++
 	WebKit_debug.dll!WebCore::Document::updateLayout()  Line 1152	C++
 	WebKit_debug.dll!WebCore::RenderLayer::hitTest(const WebCore::HitTestRequest & request={...}, WebCore::HitTestResult & result={...})  Line 1639	C++
 	WebKit_debug.dll!WebCore::Document::prepareMouseEvent(const WebCore::HitTestRequest & request={...}, const WebCore::IntPoint & documentPoint={...}, const WebCore::PlatformMouseEvent & event={...})  Line 1848	C++
 	WebKit_debug.dll!WebCore::EventHandler::prepareMouseEvent(const WebCore::HitTestRequest & request={...}, const WebCore::PlatformMouseEvent & mev={...})  Line 1229 + 0x21 bytes	C++
 	WebKit_debug.dll!WebCore::EventHandler::handleMouseMoveEvent(const WebCore::PlatformMouseEvent & mouseEvent={...}, WebCore::HitTestResult * hoveredNode=0x0012f664)  Line 998	C++
 	WebKit_debug.dll!WebCore::EventHandler::mouseMoved(const WebCore::PlatformMouseEvent & event={...})  Line 950 + 0x10 bytes	C++
 	WebKit_debug.dll!WebView::handleMouseEvent(unsigned int message=512, unsigned int wParam=0, long lParam=4849836)  Line 1217 + 0x1d bytes	C++
 	WebKit_debug.dll!WebViewWndProc(HWND__ * hWnd=0x00070406, unsigned int message=512, unsigned int wParam=0, long lParam=4849836)  Line 1635 + 0x14 bytes	C++
Comment 1 Adam Roben (:aroben) 2008-01-24 14:54:51 PST
Created attachment 18646 [details]
testcase (will crash when loaded)
Comment 2 Adam Roben (:aroben) 2008-01-24 15:04:13 PST
I have a patch for this.
Comment 3 Adam Roben (:aroben) 2008-01-24 15:10:11 PST
Created attachment 18647 [details]
patch with test and changelog
Comment 4 Dave Hyatt 2008-01-24 15:11:43 PST
Comment on attachment 18647 [details]
patch with test and changelog

r=me
Comment 5 Adam Roben (:aroben) 2008-01-24 15:14:46 PST
Committed as r29780.