[Webkit-unassigned] [Bug 22321] New: SVGFonts and SVGRootInlineBox broken for RTL text (fonts-glyph-02-t.svg causes an ASSERT)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Nov 17 12:48:11 PST 2008 

https://bugs.webkit.org/show_bug.cgi?id=22321

           Summary: SVGFonts and SVGRootInlineBox broken for RTL text
                    (fonts-glyph-02-t.svg causes an ASSERT)
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Mac OS X 10.5
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: SVG
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: zecke at selfish.org


Revision r31310 introduced extraCharsAvailable to be able to do ligatures, etc.
There is a slight bug that leads to create a String from UChar* which reads
beyond the bounds.

SVGTextRunWalker::walk
   ASSERT(to + from == run.length());
   ^^^^
   const int endOfScanRange = to + m_walkerData.extraCharsAvailable;
   for (int i = from; i < to; ++i) {
       characterLookupRange = endOfScanRange - i;
       String lookupString(run.data(i), characterLookupRange);
                                        ^^^^ <- out of bounds now



SVGRootInlineBox::buildLayoutInformationForTextBox
  int extraCharsAvailable = length - i - 1;
  if (textBox->direction() == RTL) {
            glyphWidth = svgTextBox->calculateGlyphWidth(style, textBox->end()
- i, extraCharsAvailable, charsConsumed, glyphName);
            glyphHeight = svgTextBox->calculateGlyphHeight(style,
textBox->end() - i, extraCharsAvailable);
            unicodeStr = String(textBox->textObject()->text()->characters() +
textBox->end() - i, charsConsumed);

extraCharsAvailable is wrong, or at least wrong in the future. In SVGFont it
gets treated as how many chars are available to the right.. but in the first
iteration in the above loop:
   i = 0
   textBox->end() == length-1;

but we travel the text from right to left. This means in the first loop there
is not extra char available?! in the next one...?


Also SVGInlineTextBox::calculateGlyphWidth looks really weird:
   A Text run with size one is created but we pass the extraCharsAvailable...
this will work for LTR text but with RTL text (as in the above test case) we
will read out of the bounds of the string.


-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list