commit 4ea46b71ac0fb08e989d0fb19ebb2db32c8a256b
author Florin Malita <fmalita@chromium.org> Thu Jan 14 12:17:36 2021 -0500
committer Skia Commit-Bot <skia-commit-bot@chromium.org> Thu Jan 14 19:03:25 2021 +0000
tree e5b46a62b4819d70b4737bd54947e4f85f12129a
parent 4a2d651243c42c6b63f53024213f8d6417edaab2

[svg] Fix null text context crash

The input may contain invalid text constructs lacking a root <text> node
e.g.  <svg><tspan>foo</tspan></svg>

Since we don't perform content model validation at the moment and text
contexts are only instantiated for root nodes, we must guard against
this case at render time.

Bug: oss-fuzz:29558
Change-Id: I7e39c1c4048900ce5becb3549802dc66bb1d242b
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/353711
Commit-Queue: Florin Malita <fmalita@chromium.org>
Commit-Queue: Florin Malita <fmalita@google.com>
Reviewed-by: Tyler Denniston <tdenniston@google.com>

modules/svg/src/SkSVGText.cpp

diff --git a/modules/svg/src/SkSVGText.cpp b/modules/svg/src/SkSVGText.cpp
index 37f604f..b7398d7 100644
--- a/modules/svg/src/SkSVGText.cpp
+++ b/modules/svg/src/SkSVGText.cpp
@@ -506,6 +506,11 @@
 
 void SkSVGTextContainer::onRenderText(const SkSVGRenderContext& ctx, SkSVGTextContext* tctx,
                                       SkSVGXmlSpace) const {
+    if (!tctx) {
+        // No text context => missing top-level <text> node.
+        return;
+    }
+
     const SkSVGTextContext::ScopedPosResolver resolver(*this, ctx.lengthContext(), tctx);
 
     for (const auto& frag : fChildren) {