Bug 849688 - Crash with getStartPositionOfChar when argument is out of range. r=dholbert

layout/svg/crashtests/849688-1.svg

@@ -0,0 +1,11 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+
+<text></text>
+
+<script>
+window.addEventListener("load", function() {
+    document.getElementsByTagName('text')[0].getStartPositionOfChar(1);
+}, false);
+</script>
+
+</svg>

layout/svg/crashtests/849688-2.svg

@@ -0,0 +1,11 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+
+<text>X</text>
+
+<script>
+window.addEventListener("load", function() {
+    document.getElementsByTagName('text')[0].getStartPositionOfChar(2);
+}, false);
+</script>
+
+</svg>

layout/svg/crashtests/crashtests.list

@@ -157,3 +157,5 @@ load 842009-1.svg
 load 842909-1.svg
 load 843072-1.svg
 load 847139-1.svg
+load 849688-1.svg
+load 849688-2.svg

layout/svg/nsSVGTextFrame2.cpp

@@ -3618,11 +3618,6 @@ nsSVGTextFrame2::GetComputedTextLength(nsIContent* aContent)
 {
   UpdateGlyphPositioning(false);
 
-  nsIFrame* kid = GetFirstPrincipalChild();
-  if (!kid) {
-    return 0.0f;
-  }
-
   float cssPxPerDevPx = PresContext()->
     AppUnitsToFloatCSSPixels(PresContext()->AppUnitsPerDevPixel());
 
@@ -3647,18 +3642,13 @@ nsSVGTextFrame2::GetSubStringLength(nsIContent* aContent,
 {
   UpdateGlyphPositioning(false);
 
-  nsIFrame* kid = GetFirstPrincipalChild();
-  if (!kid) {
-    return 0.0f;
-  }
-
   // Convert charnum/nchars from addressable characters relative to
   // aContent to global character indices.
   CharIterator chit(this, CharIterator::eAddressable, aContent);
   if (!chit.AdvanceToSubtree() ||
+      chit.AtEnd() ||
       !chit.Next(charnum) ||
-      chit.IsAfterSubtree() ||
-      chit.AtEnd()) {
+      chit.IsAfterSubtree()) {
     return 0.0f;
   }
   charnum = chit.TextElementCharIndex();
@@ -3717,11 +3707,6 @@ nsSVGTextFrame2::GetCharNumAtPosition(nsIContent* aContent,
 {
   UpdateGlyphPositioning(false);
 
-  nsIFrame* kid = GetFirstPrincipalChild();
-  if (!kid) {
-    return 0.0f;
-  }
-
   nsPresContext* context = PresContext();
 
   gfxPoint p(aPoint->X(), aPoint->Y());
@@ -3757,8 +3742,8 @@ nsSVGTextFrame2::GetStartPositionOfChar(nsIContent* aContent,
 
   CharIterator it(this, CharIterator::eAddressable, aContent);
   if (!it.AdvanceToSubtree() ||
-      !it.Next(aCharNum) ||
-      it.AtEnd()) {
+      it.AtEnd() ||
+      !it.Next(aCharNum)) {
     return NS_ERROR_DOM_INDEX_SIZE_ERR;
   }
 
@@ -3782,8 +3767,8 @@ nsSVGTextFrame2::GetEndPositionOfChar(nsIContent* aContent,
 
   CharIterator it(this, CharIterator::eAddressable, aContent);
   if (!it.AdvanceToSubtree() ||
-      !it.Next(aCharNum) ||
-      it.AtEnd()) {
+      it.AtEnd() ||
+      !it.Next(aCharNum)) {
     return NS_ERROR_DOM_INDEX_SIZE_ERR;
   }
 
@@ -3820,8 +3805,8 @@ nsSVGTextFrame2::GetExtentOfChar(nsIContent* aContent,
 
   CharIterator it(this, CharIterator::eAddressable, aContent);
   if (!it.AdvanceToSubtree() ||
-      !it.Next(aCharNum) ||
-      it.AtEnd()) {
+      it.AtEnd() ||
+      !it.Next(aCharNum)) {
     return NS_ERROR_DOM_INDEX_SIZE_ERR;
   }
 
@@ -3872,8 +3857,8 @@ nsSVGTextFrame2::GetRotationOfChar(nsIContent* aContent,
 
   CharIterator it(this, CharIterator::eAddressable, aContent);
   if (!it.AdvanceToSubtree() ||
-      !it.Next(aCharNum) ||
-      it.AtEnd()) {
+      it.AtEnd() ||
+      !it.Next(aCharNum)) {
     return NS_ERROR_DOM_INDEX_SIZE_ERR;
   }