Crash while editing truncated flowed text

> Inkscape 0.48 on Linux (Kubuntu).

Which version of Inkscape 0.48 do you have installed (see Inkscape menu 'Help > About Inkscape')?
Which distro version of Kubuntu (Ubuntu) do you have installed?

Crash not reproduced with Inkscape 0.48.3.1 and 0.48+devel r11573 on OS X 10.7.4
(tested with both backends of GTK+ and Pango: X11, Quartz)

Other variations tested:
- copy&pasting the character from 'Glyphs' dialog (from 'Range: Dingbat')
- inserting the character via Unicode input method (Ctrl+U 2714)

Font 'Calibri' used for repeating the 'Steps to reproduce' had been installed (extracted) from Microsoft's PowerPoint Viewer 2007:

Version Version 1.02
Unique name Microsoft: Calibri: 2005
Manufacturer Microsoft Corporation
Designer Luc(as) de Groot
Copyright © 2006 Microsoft Corporation. All Rights Reserved.

Since the 'Calibri' font I have installed doesn't include the Unicode symbol 'HEAVY CHECK MARK' itself, the actual glyph - used to render it on-canvas - is (silently) substituted; AFAICT from the fallback font (DejaVu Sans).

SVG file used for the tests

Searching the web, this bug filed for Inkscape 0.48.1 on RedHat seems to be about the same issue:
<https://bugzilla.redhat.com/show_bug.cgi?id=759010>

$ cat /etc/issue
Ubuntu 10.10 \n \l

Inkscape 0.48+devel r10022

The SVG file attached to this bug won't produce the problem. I have attached a video showing how to reproduce the problem.

Pasting the glyph causes the text box to go red, indicating that there's text, but it cannot be shown (likely because the text box itself is too short to display the full text string).

At the end of the video, Inkscape will crash if I press the up arrow.

http://www.youtube.com/watch?v=KP5QY_JQ7QA

Pasting the glyph is a red herring. I can just press the up arrow after changing the font size to 90px and cause a crash.

Crash reproduced with Inkscape 0.48+devel r11573 on OS X 10.7.4
(Glib 2.32.4, GTK+/X11 2.24.10, pango 1.30.1)

Steps:
1) create flowed text, type some text (neither font family nor font size matters)
2) decrease the frame of the flowed text (e.g. in height) until none of the text fits into the frame anymore (i.e. all text is truncated)
3) press up arrow key

-> crash

I can confirm the same behaviour in Inkscape 0.48.3.1 (0.48.3.1-1ubuntu6.1 package) in Xubuntu 12.10 (amd64). Reproducing it is easy. Just make a very small text box (I use FreeSans as my default typeface), change the typeface size to say 144 px, type some stuff in it (nothing shows up), then hit the up key. Crash! I get this in apport:

SegvAnalysis:
 Segfault happened at: 0x859a93 <_ZN8Inkscape4Text6Layout8iterator14prevLineCursorEi+147>: mov 0x10(%rax,%rcx,8),%edi
 PC (0x00859a93) ok
 source "0x10(%rax,%rcx,8)" (0x1808140b58) not located in a known VMA region (needed readable region)!
 destination "%edi" ok
SegvReason: reading unknown VMA
Title: inkscape crashed with SIGSEGV in Inkscape::Text::Layout::iterator::prevLineCursor()

Apport's .crash file (minus the huge core dump field) is attached.

I've upgraded to 0.48.4 for quantal via the inkscape PPA (0.48.4+27~ubuntu12.10.1), and I still get the same crash. It does however seem a bit harder to trigger, maybe due to a change in shortcut key handling?

I also get this crash when testing the latest dev version (0.49~devel+13288+15~ubuntu12.10.1) from ppa:cafuego/inkscape.

Moving to milestone 0.92: while a fix would be nice to have, it is not really a recent regression introduced in the 0.91.x series: the steps to reproduce in comment #9 also crash with stable 0.48.x builds.

Crash as described in comment #9:
- reproduced with rev <= 14126
- not reproduced with r14127

Closing as 'Fix committed' (bug #1391374 and this one - bug #1029690 - probably could have been marked as duplicate, at least they are fixed by the same commit).

Fixed in 0.91.x by the backport of r14127 for bug #1391374 in rev 13791.