From 37a5a0e7f1e0303222e6349379a6943c60f3b5b8 Mon Sep 17 00:00:00 2001 From: Trevor Spiteri Date: Tue, 15 Jan 2019 18:57:17 +0100 Subject: out-of-bounds access on Enter in new text field https://bugzilla.redhat.com/show_bug.cgi?id=1575842 Reproduce using: 1. Select text tool (F8) 2. Click on empty canvas 3. Hit Enter --- src/libnrtype/Layout-TNG-OutIter.cpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/libnrtype/Layout-TNG-OutIter.cpp b/src/libnrtype/Layout-TNG-OutIter.cpp index 77cedaa61..74b9494a6 100644 --- a/src/libnrtype/Layout-TNG-OutIter.cpp +++ b/src/libnrtype/Layout-TNG-OutIter.cpp @@ -183,6 +183,8 @@ Layout::iterator Layout::sourceToIterator(void *source_cookie /*, Glib::ustring: if (_input_stream[source_index]->Type() != TEXT_SOURCE) return iterator(this, char_index); + if (char_index >= _characters.size()) + return end(); return iterator(this, char_index); /* This code was never used, the text_iterator argument was "NULL" in all calling code InputStreamTextSource const *text_source = static_cast(_input_stream[source_index]); -- cgit v1.2.3 From 6b8b86ca248cc47128ee3646d7ce17d2c0720522 Mon Sep 17 00:00:00 2001 From: Trevor Spiteri Date: Tue, 15 Jan 2019 18:57:56 +0100 Subject: out-of-bounds access on clicking at end of text field https://bugzilla.redhat.com/show_bug.cgi?id=1608371 https://bugs.launchpad.net/inkscape/+bug/1803553 Reproduce using: 1. Select text tool (F8) 2. Click on empty canvas 3. Type "abc" 4. Click somewhere else 5. Click in first text field after "c" in "abc" --- src/libnrtype/Layout-TNG-OutIter.cpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/libnrtype/Layout-TNG-OutIter.cpp b/src/libnrtype/Layout-TNG-OutIter.cpp index 74b9494a6..3dc5c3e4f 100644 --- a/src/libnrtype/Layout-TNG-OutIter.cpp +++ b/src/libnrtype/Layout-TNG-OutIter.cpp @@ -47,7 +47,10 @@ Layout::iterator Layout::_cursorXOnLineToIterator(unsigned line_index, double lo best_x_difference = this_x_difference; } } - if (best_char_index == -1) return iterator(this, char_index); + if (best_char_index == -1) + best_char_index = char_index; + if (best_char_index == _characters.size()) + return end(); return iterator(this, best_char_index); } -- cgit v1.2.3 From 5ed5cde1a9a0f7368e33d5ec38d9dbb9aa817af9 Mon Sep 17 00:00:00 2001 From: Trevor Spiteri Date: Tue, 15 Jan 2019 18:58:59 +0100 Subject: out-of-bounds access on Enter-up-down in new text field https://bugzilla.redhat.com/show_bug.cgi?id=1612618 Reproduce using: 1. Select text tool (F8) 2. Click on empty canvas 3. Hit Enter 4. Hit Up 5. Hit Down --- src/libnrtype/Layout-TNG-OutIter.cpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/libnrtype/Layout-TNG-OutIter.cpp b/src/libnrtype/Layout-TNG-OutIter.cpp index 3dc5c3e4f..761d58245 100644 --- a/src/libnrtype/Layout-TNG-OutIter.cpp +++ b/src/libnrtype/Layout-TNG-OutIter.cpp @@ -789,7 +789,10 @@ bool Layout::iterator::nextLineCursor(int n) - _parent_layout->_chunks[_parent_layout->_spans[_parent_layout->_lineToSpan(line_index)].in_chunk].left_x; } _char_index = _parent_layout->_cursorXOnLineToIterator(line_index + n, _x_coordinate)._char_index; - _glyph_index = _parent_layout->_characters[_char_index].in_glyph; + if (_char_index == _parent_layout->_characters.size()) + _glyph_index = _parent_layout->_glyphs.size(); + else + _glyph_index = _parent_layout->_characters[_char_index].in_glyph; return true; } -- cgit v1.2.3 From 60e14d32a5be0f286271921cb4a3014a6db1595e Mon Sep 17 00:00:00 2001 From: Trevor Spiteri Date: Tue, 15 Jan 2019 18:59:12 +0100 Subject: out-of-bounds access on Enter-up-left in new text field Reproduce using: 1. Select text tool (F8) 2. Click on empty canvas 3. Hit Enter 4. Hit Up 5. Hit Left --- src/libnrtype/Layout-TNG-OutIter.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libnrtype/Layout-TNG-OutIter.cpp b/src/libnrtype/Layout-TNG-OutIter.cpp index 761d58245..1c20ac30b 100644 --- a/src/libnrtype/Layout-TNG-OutIter.cpp +++ b/src/libnrtype/Layout-TNG-OutIter.cpp @@ -503,7 +503,7 @@ void Layout::queryCursorShape(iterator const &it, Geom::Point &position, double if (it._glyph_index == -1) { rotation = 0.0; } else if(it._glyph_index == 0) { - rotation = _glyphs[0].rotation; + rotation = _glyphs.empty() ? 0.0 : _glyphs[0].rotation; } else{ rotation = _glyphs[it._glyph_index - 1].rotation; } -- cgit v1.2.3