From de5393c04d3d36574c7117002730482497ce0730 Mon Sep 17 00:00:00 2001
From: Cameron McCormack <cam@mcc.id.au>
Date: Fri, 20 Dec 2013 15:26:28 +1100
Subject: [PATCH] Bug 952270 - Null check result of
 GetPathForLengthOrPositionMeasuring in nsSVGTextFrame2::GetTextPath.
 r=longsonr

---
 layout/svg/crashtests/952270-1.svg    |  9 +++++++
 layout/svg/crashtests/crashtests.list |  1 +
 layout/svg/nsSVGTextFrame2.cpp        | 34 +++++++++++++++------------
 3 files changed, 29 insertions(+), 15 deletions(-)
 create mode 100644 layout/svg/crashtests/952270-1.svg

diff --git a/layout/svg/crashtests/952270-1.svg b/layout/svg/crashtests/952270-1.svg
new file mode 100644
index 00000000000..69bac47d42d
--- /dev/null
+++ b/layout/svg/crashtests/952270-1.svg
@@ -0,0 +1,9 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+
+    <path id="path" transform="scale(2,1)" />
+
+    <text>
+        <textPath xlink:href="#path">F</textPath>
+    </text>
+
+</svg>
diff --git a/layout/svg/crashtests/crashtests.list b/layout/svg/crashtests/crashtests.list
index 1d8ac4167d7..644fe074f4c 100644
--- a/layout/svg/crashtests/crashtests.list
+++ b/layout/svg/crashtests/crashtests.list
@@ -177,3 +177,4 @@ load 897342-1.svg
 load 898909-1.svg
 load 898951-1.svg
 load 919371-1.xhtml
+load 952270-1.svg
diff --git a/layout/svg/nsSVGTextFrame2.cpp b/layout/svg/nsSVGTextFrame2.cpp
index 446f445ccc0..61f97c57dfa 100644
--- a/layout/svg/nsSVGTextFrame2.cpp
+++ b/layout/svg/nsSVGTextFrame2.cpp
@@ -4719,22 +4719,26 @@ nsSVGTextFrame2::GetTextPath(nsIFrame* aTextPathFrame)
 {
   nsIFrame *pathFrame = GetTextPathPathFrame(aTextPathFrame);
 
-  if (pathFrame) {
-    nsSVGPathGeometryElement *element =
-      static_cast<nsSVGPathGeometryElement*>(pathFrame->GetContent());
-
-    RefPtr<Path> path = element->GetPathForLengthOrPositionMeasuring();
-
-    gfxMatrix matrix = element->PrependLocalTransformsTo(gfxMatrix());
-    if (!matrix.IsIdentity()) {
-      RefPtr<PathBuilder> builder =
-        path->TransformedCopyToBuilder(ToMatrix(matrix));
-      path = builder->Finish();
-    }
-
-    return path.forget();
+  if (!pathFrame) {
+    return nullptr;
   }
-  return nullptr;
+
+  nsSVGPathGeometryElement *element =
+    static_cast<nsSVGPathGeometryElement*>(pathFrame->GetContent());
+
+  RefPtr<Path> path = element->GetPathForLengthOrPositionMeasuring();
+  if (!path) {
+    return nullptr;
+  }
+
+  gfxMatrix matrix = element->PrependLocalTransformsTo(gfxMatrix());
+  if (!matrix.IsIdentity()) {
+    RefPtr<PathBuilder> builder =
+      path->TransformedCopyToBuilder(ToMatrix(matrix));
+    path = builder->Finish();
+  }
+
+  return path.forget();
 }
 
 gfxFloat