Inkscape

Crash when selecting the last character of the text

Bug #1803553 reported by Kas-fi
44
This bug affects 8 people
Affects Status Importance Assigned to Milestone
Inkscape
Fix Released
High
Unassigned
Inkscape 0.92.5 "0.92.5"

Bug Description

Inkscape crashes on Fedora 29 when I try to click on an existing text object, but only when I click after the last character of the text. The error message written to the terminal is the following one:

/usr/include/c++/8/bits/stl_vector.h:950: std::vector<_Tp, _Alloc>::const_reference std::vector<_Tp, _Alloc>::operator[](std::vector<_Tp, _Alloc>::size_type) const [with _Tp = Inkscape::Text::Layout::Character; _Alloc = std::allocator<Inkscape::Text::Layout::Character>; std::vector<_Tp, _Alloc>::const_reference = const Inkscape::Text::Layout::Character&; std::vector<_Tp, _Alloc>::size_type = long unsigned int]: Assertion '__builtin_expect(__n < this->size(), true)' failed.

Emergency save activated!

Emergency save document locations:
  /home/kas/New document 1.2018_11_15_14_31_43.0.svg
Emergency save completed. Inkscape will close now.
If you can reproduce this crash, please file a bug at www.inkscape.org
with a detailed description of the steps leading to the crash, so we can fix it.
Aborted (core dumped)

Downstream bug report in Fedora bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1608371
Screencast with bug reproduction: https://bugzilla.redhat.com/attachment.cgi?id=1506073
My inkscape version: inkscape-0.92.3-5.fc29.x86_64

Tags: crash text
Max Gaukler (mgmax)
Changed in inkscape:
importance: Undecided → High
Revision history for this message
PapsOu (papsou) wrote :

I also confirm this bug with the same behavior.

It's very unusable when editing a document with many texts... (Like a resume)

Revision history for this message
Trevor Spiteri (tspiteri) wrote :

Reproducing a comment in the downstream bug:

I kept hitting this as well. After some digging, I found that:

* _cursorXOnLineToIterator is setting best_char_index == _characters.size()
* and then returning iterator(this, best_char_index),
* which has an initializer saying _glyph_index(p->_characters[c].in_glyph)

That is an out-of-bounds access of p->_characters, which I believe is causing the abort.

Revision history for this message
Gwyn Ciesla (limburgher) wrote :

This patch seems to correct the issue.

Revision history for this message
Gwyn Ciesla (limburgher) wrote :

But it prevents selection of the last two chars. Looking.

Revision history for this message
Gwyn Ciesla (limburgher) wrote :

Hmm. That's actually already an issue, it prevents the crash.

Revision history for this message
Gwyn Ciesla (limburgher) wrote :

s/it/but it/

Revision history for this message
Trevor Spiteri (tspiteri) wrote :

That patch disallows the legitimate case where best_char_index == _characters.size() - 1. I think better is this patch, which returns end() if the best index is equal to the size. I haven't tested this, as I'm having issues building in Fedora with the setup to abort on out-of-bounds access.

Revision history for this message
Trevor Spiteri (tspiteri) wrote :

This bug is fixed in gitlab merge request 488.

https://gitlab.com/inkscape/inkscape/merge_requests/488

Qantas94Heavy (qantas94heavy)
Changed in inkscape:
status: New → Fix Committed
milestone: none → 1.0
Revision history for this message
Qantas94Heavy (qantas94heavy) wrote :

Backported to 0.92.x here: https://gitlab.com/inkscape/inkscape/merge_requests/647

Changed in inkscape:
milestone: 1.0 → 0.92.5
Max Gaukler (mgmax)
Changed in inkscape:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.