[WinCairo] Crash when font data pointer is null.
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 5 Jan 2015 15:05:46 +0000 (15:05 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 5 Jan 2015 15:05:46 +0000 (15:05 +0000)
https://bugs.webkit.org/show_bug.cgi?id=139969

Patch by peavo@outlook.com <peavo@outlook.com> on 2015-01-05
Reviewed by Darin Adler.

Source/WebCore:

Added null pointer check.

Test: fonts/unicode-character-font-crash.html

* platform/graphics/win/UniscribeController.cpp:
(WebCore::UniscribeController::advance):
(WebCore::UniscribeController::shape):

LayoutTests:

* fonts/unicode-character-font-crash-expected.txt: Added.
* fonts/unicode-character-font-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@177909 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fonts/unicode-character-font-crash-expected.txt [new file with mode: 0644]
LayoutTests/fonts/unicode-character-font-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/platform/graphics/win/UniscribeController.cpp

index 688fab7..5089ad3 100644 (file)
@@ -1,3 +1,13 @@
+2015-01-05  peavo@outlook.com  <peavo@outlook.com>
+
+        [WinCairo] Crash when font data pointer is null.
+        https://bugs.webkit.org/show_bug.cgi?id=139969
+
+        Reviewed by Darin Adler.
+
+        * fonts/unicode-character-font-crash-expected.txt: Added.
+        * fonts/unicode-character-font-crash.html: Added.
+
 2015-01-04  Alexey Proskuryakov  <ap@apple.com>
 
         fast/events/autoscroll-should-not-stop-on-keypress.html is flaky in debug builds
diff --git a/LayoutTests/fonts/unicode-character-font-crash-expected.txt b/LayoutTests/fonts/unicode-character-font-crash-expected.txt
new file mode 100644 (file)
index 0000000..5f43671
--- /dev/null
@@ -0,0 +1,5 @@
+Test case for bug 139969: [WinCairo] Crash when font data pointer is null.
+
+This test passes if it does not crash.
+
+⟩
diff --git a/LayoutTests/fonts/unicode-character-font-crash.html b/LayoutTests/fonts/unicode-character-font-crash.html
new file mode 100644 (file)
index 0000000..413d9e2
--- /dev/null
@@ -0,0 +1,19 @@
+<html>
+
+<head>
+<style>
+.texhtml{-webkit-font-feature-settings:"lnum","tnum"}
+</style>
+</head>
+
+<body>
+<p>Test case for <a href="http://bugs.webkit.org/show_bug.cgi?id=139969">bug 139969</a>: [WinCairo] Crash when font data pointer is null.</p>
+<p>This test passes if it does not crash.</p>
+<span class="texhtml">⟩</span>
+<script>
+if (window.testRunner)
+  testRunner.dumpAsText();
+</script>
+</body>
+
+</html>
index a3d920a..acc5188 100644 (file)
@@ -1,3 +1,18 @@
+2015-01-05  peavo@outlook.com  <peavo@outlook.com>
+
+        [WinCairo] Crash when font data pointer is null.
+        https://bugs.webkit.org/show_bug.cgi?id=139969
+
+        Reviewed by Darin Adler.
+
+        Added null pointer check.
+
+        Test: fonts/unicode-character-font-crash.html
+
+        * platform/graphics/win/UniscribeController.cpp:
+        (WebCore::UniscribeController::advance):
+        (WebCore::UniscribeController::shape):
+
 2015-01-05  Michael Catanzaro  <mcatanzaro@igalia.com>
 
         [GStreamer] Disable gst-plugin-scanner if seccomp filters are enabled
index 8927058..8abbfeb 100644 (file)
@@ -165,7 +165,7 @@ void UniscribeController::advance(unsigned offset, GlyphBuffer* glyphBuffer)
                 smallCapsBuffer[index] = forceSmallCaps ? c : newC;
         }
 
-        if (m_fallbackFonts && nextFontData != fontData && fontData != m_font.primaryFont())
+        if (m_fallbackFonts && fontData && nextFontData != fontData && fontData != m_font.primaryFont())
             m_fallbackFonts->add(fontData);
 
         if (nextFontData != fontData || nextIsSmallCaps != isSmallCaps) {
@@ -179,7 +179,7 @@ void UniscribeController::advance(unsigned offset, GlyphBuffer* glyphBuffer)
     
     int itemLength = m_run.rtl() ? indexOfFontTransition + 1 : length - indexOfFontTransition;
     if (itemLength) {
-        if (m_fallbackFonts && nextFontData != m_font.primaryFont())
+        if (m_fallbackFonts && nextFontData && nextFontData != m_font.primaryFont())
             m_fallbackFonts->add(nextFontData);
 
         int itemStart = m_run.rtl() ? 0 : indexOfFontTransition;
@@ -412,6 +412,10 @@ bool UniscribeController::shape(const UChar* str, int len, SCRIPT_ITEM item, con
     HFONT oldFont = 0;
     HRESULT shapeResult = E_PENDING;
     int glyphCount = 0;
+
+    if (!fontData)
+        return false;
+
     do {
         shapeResult = ScriptShape(hdc, fontData->scriptCache(), str, len, glyphs.size(), &item.a,
                                   glyphs.data(), clusters.data(), visualAttributes.data(), &glyphCount);