Fix handling of malformed surrogate pairs for break-all

third_party/WebKit/Source/core/layout/LayoutText.cpp

Index: third_party/WebKit/Source/core/layout/LayoutText.cpp
diff --git a/third_party/WebKit/Source/core/layout/LayoutText.cpp b/third_party/WebKit/Source/core/layout/LayoutText.cpp
index 3f4d6a8f309e0e4d0f095ced53f3f17713755d5c..12415aa3be29ac9034085cf500fd898259b0232c 100644
--- a/third_party/WebKit/Source/core/layout/LayoutText.cpp
+++ b/third_party/WebKit/Source/core/layout/LayoutText.cpp
@@ -24,6 +24,7 @@
 
 #include "core/layout/LayoutText.h"
 
+#include <algorithm>
 #include "core/dom/AXObjectCache.h"
 #include "core/dom/Text.h"
 #include "core/editing/VisiblePosition.h"
@@ -1013,6 +1014,13 @@ static float minWordFragmentWidthForBreakAll(LayoutText* layoutText,
     } else {
       fragmentLength = U16_LENGTH(layoutText->codepointAt(i));
     }
+
+    // Ensure that malformed surrogate pairs don't cause us to read
+    // past the end of the string.
+    int textLength = layoutText->textLength();
+    if (i + fragmentLength > textLength)
+      fragmentLength = std::max(textLength - i, 0);
+
     // The correct behavior is to measure width without re-shaping, but we
     // reshape each fragment here because a) the current line breaker does not
     // support it, b) getCharacterRange() can reshape if the text is too long