Submitted By: Ken Moffat <ken at linuxfromscratch dot org>
Date: 2019-06-25
Initial Package Version: 0.92.4
Upstream Status: Applied
Origin: Upstream
Description: Fixes for out of bounds accesses in the fill bucket and text tools.
These issues are highlighted if -D_FORTIFY_SOURCE=2 is used (e.g. application
terminated when trying to use the fill tool).

commit 19225039b8667679c175e62f1faa29495b4ed547
Author: Nathan Lee <2431820-nathanal@users.noreply.gitlab.com>
Date:   Fri Apr 26 00:30:04 2019 +1000

    Add out of bound checks to fill bucket
    
    Fixes https://gitlab.com/inkscape/inbox/issues/398

commit 37a5a0e7f1e0303222e6349379a6943c60f3b5b8
Author: Trevor Spiteri <trevor.spiteri@um.edu.mt>
Date:   Tue Jan 15 18:57:17 2019 +0100

    out-of-bounds access on Enter in new text field
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1575842
    
    Reproduce using:
    1. Select text tool (F8)
    2. Click on empty canvas
    3. Hit Enter

commit 6b8b86ca248cc47128ee3646d7ce17d2c0720522
Author: Trevor Spiteri <trevor.spiteri@um.edu.mt>
Date:   Tue Jan 15 18:57:56 2019 +0100

    out-of-bounds access on clicking at end of text field
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1608371
    https://bugs.launchpad.net/inkscape/+bug/1803553
    
    Reproduce using:
    1. Select text tool (F8)
    2. Click on empty canvas
    3. Type "abc"
    4. Click somewhere else
    5. Click in first text field after "c" in "abc"

diff -Naur a/src/libnrtype/Layout-TNG-OutIter.cpp b/src/libnrtype/Layout-TNG-OutIter.cpp
--- a/src/libnrtype/Layout-TNG-OutIter.cpp	2019-01-15 04:29:27.000000000 +0000
+++ b/src/libnrtype/Layout-TNG-OutIter.cpp	2019-06-25 18:55:33.680796467 +0100
@@ -46,7 +46,10 @@
             best_x_difference = this_x_difference;
         }
     }
-    if (best_char_index == -1) return iterator(this, char_index);
+    if (best_char_index == -1)
+        best_char_index = char_index;
+    if (best_char_index == _characters.size())
+        return end();
     return iterator(this, best_char_index);
 }
 
@@ -182,6 +185,8 @@
     if (_input_stream[source_index]->Type() != TEXT_SOURCE)
         return iterator(this, char_index);
 
+    if (char_index >= _characters.size())
+        return end();
     return iterator(this, char_index);
     /* This code was never used, the text_iterator argument was "NULL" in all calling code
     InputStreamTextSource const *text_source = static_cast<InputStreamTextSource const *>(_input_stream[source_index]);
diff -Naur a/src/ui/tools/flood-tool.cpp b/src/ui/tools/flood-tool.cpp
--- a/src/ui/tools/flood-tool.cpp	2019-01-15 04:29:27.000000000 +0000
+++ b/src/ui/tools/flood-tool.cpp	2019-06-25 18:55:14.064888807 +0100
@@ -630,7 +630,7 @@
     bool can_paint_top = (top_ty > 0);
     bool can_paint_bottom = (bottom_ty < bci.height);
 
-    Geom::Point t = fill_queue->front();
+    Geom::Point front_of_queue = fill_queue->empty() ? Geom::Point() : fill_queue->front();
 
     do {
         ok = false;
@@ -648,8 +648,11 @@
                 paint_directions = paint_pixel(px, trace_px, orig_color, bci, current_trace_t);
                 if (bci.radius == 0) {
                     mark_pixel_checked(current_trace_t);
-                    if ((t[Geom::X] == bci.x) && (t[Geom::Y] == bci.y)) {
-                        fill_queue->pop_front(); t = fill_queue->front();
+                    if ((!fill_queue->empty()) &&
+                        (front_of_queue[Geom::X] == bci.x) &&
+                        (front_of_queue[Geom::Y] == bci.y)) {
+                        fill_queue->pop_front();
+                        front_of_queue = fill_queue->empty() ? Geom::Point() : fill_queue->front();
                     }
                 }