From 1f06c9154675fb6f956ecfadcf9dcdf790413c8e Mon Sep 17 00:00:00 2001
From: Matthias Clasen <mclasen@redhat.com>
Date: Tue, 9 Jun 2020 11:23:44 -0400
Subject: layout: Fix a crash

pango_layout_get_effective_attributes can return
NULL. But not all callers were handling that.
---
 pango/pango-layout.c | 28 ++++++++++++++++------------
 1 file changed, 16 insertions(+), 12 deletions(-)

diff --git a/pango/pango-layout.c b/pango/pango-layout.c
index 24444ed4..6d4d94cb 100644
--- a/pango/pango-layout.c
+++ b/pango/pango-layout.c
@@ -3083,17 +3083,22 @@ ensure_tab_width (PangoLayout *layout)
       PangoAttribute *attr;
       PangoAttrList *layout_attrs;
       PangoAttrList tmp_attrs;
-      PangoAttrIterator iter;
       PangoFontDescription *font_desc = pango_font_description_copy_static (pango_context_get_font_description (layout->context));
-      PangoLanguage *language;
+      PangoLanguage *language = NULL;
       PangoShapeFlags shape_flags = PANGO_SHAPE_NONE;
 
       if (pango_context_get_round_glyph_positions (layout->context))
         shape_flags |= PANGO_SHAPE_ROUND_POSITIONS;
 
       layout_attrs = pango_layout_get_effective_attributes (layout);
-      _pango_attr_list_get_iterator (layout_attrs, &iter);
-      pango_attr_iterator_get_font (&iter, font_desc, &language, NULL);
+      if (layout_attrs)
+        {
+          PangoAttrIterator iter;
+
+          _pango_attr_list_get_iterator (layout_attrs, &iter);
+          pango_attr_iterator_get_font (&iter, font_desc, &language, NULL);
+          _pango_attr_iterator_destroy (&iter);
+        }
 
       _pango_attr_list_init (&tmp_attrs);
 
@@ -3102,19 +3107,18 @@ ensure_tab_width (PangoLayout *layout)
       pango_attr_list_insert_before (&tmp_attrs, attr);
 
       if (language)
-	{
-	  attr = pango_attr_language_new (language);
-	  pango_attr_list_insert_before (&tmp_attrs, attr);
-	}
+        {
+          attr = pango_attr_language_new (language);
+          pango_attr_list_insert_before (&tmp_attrs, attr);
+        }
 
       items = pango_itemize (layout->context, " ", 0, 1, &tmp_attrs, NULL);
 
-      _pango_attr_iterator_destroy (&iter);
       if (layout_attrs != layout->attrs)
         {
-	  pango_attr_list_unref (layout_attrs);
-	  layout_attrs = NULL;
-	}
+          pango_attr_list_unref (layout_attrs);
+          layout_attrs = NULL;
+        }
       _pango_attr_list_destroy (&tmp_attrs);
 
       item = items->data;
-- 
cgit v1.2.1


From 2751956b09f8f4dbedc07f2e0653419bfd9875ff Mon Sep 17 00:00:00 2001
From: Matthias Clasen <mclasen@redhat.com>
Date: Tue, 9 Jun 2020 11:41:43 -0400
Subject: Add a test for a crash in shape_tab

This verifies the fix in the previous commit.
---
 tests/meson.build |  1 +
 tests/testmisc.c  | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 tests/testmisc.c

diff --git a/tests/meson.build b/tests/meson.build
index 9b78fbfd..234fbf63 100644
--- a/tests/meson.build
+++ b/tests/meson.build
@@ -20,6 +20,7 @@ tests = [
   [ 'testboundaries' ],
   [ 'testboundaries_ucd' ],
   [ 'testcolor' ],
+  [ 'testmisc', [ 'testmisc.c' ], [ libpangocairo_dep ] ],
   [ 'testscript' ],
   [ 'test-harfbuzz', [ 'test-harfbuzz.c' ], [ libpangocairo_dep ] ],
   [ 'cxx-test', [ 'cxx-test.cpp' ], [ libpangocairo_dep ] ],
diff --git a/tests/testmisc.c b/tests/testmisc.c
new file mode 100644
index 00000000..3e629f24
--- /dev/null
+++ b/tests/testmisc.c
@@ -0,0 +1,49 @@
+/* Pango
+ * testmisc.c: Test program for miscellaneous things
+ *
+ * Copyright (C) 2020 Matthias Clasen
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.	 See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public
+ * License along with this library; if not, write to the
+ * Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+ * Boston, MA 02111-1307, USA.
+ */
+
+#include "config.h"
+#include <glib.h>
+#include <pango/pangocairo.h>
+
+static void
+test_shape_tab_crash (void)
+{
+  PangoContext *context;
+  PangoLayout *layout;
+
+  context = pango_font_map_create_context (pango_cairo_font_map_get_default ());
+  layout = pango_layout_new (context);
+  pango_layout_set_text (layout, "one\ttwo", -1);
+  pango_layout_is_ellipsized (layout);
+
+  g_object_unref (layout);
+  g_object_unref (context);
+}
+
+int
+main (int argc, char *argv[])
+{
+  g_test_init (&argc, &argv, NULL);
+
+  g_test_add_func ("/layout/shape-tab-crash", test_shape_tab_crash);
+
+  return g_test_run ();
+}
-- 
cgit v1.2.1