Buffer overflow with Font_SwitchOutputToBuffer and Font_Paint

SWI Font_SwitchOutputToBuffer redirects SWI Font_Paint to render text as Draw path objects into a buffer. It is possible to determine the size of buffer required before actually rendering the text. This normally works fine, but it appears that when the text ends with a space, RISC OS overflows the buffer.

My experiments suggest that an additional 10 words must be allocated to absorb the overflow. This is the case for both hard and soft spaces. The number of trailing spaces appears to make no difference; 10 words does the job whether the text ends with one space or many.

I have found the same behaviour on RISC OS 4.02 and RISC OS 5.18.

I have a very small BASIC program which demonstrates the problem. Using a short string that ends with a space, it paints to screen and then, via Font_SwitchOutputToBuffer, into a buffer of the required length plus 1024 bytes. The buffer is saved to RamDisc. On inspection of the saved buffer, it can be seen that words at byte-offsets 16 to 36 past the required length of the buffer have been corrupted.

As an aside, it can also be seen that the “new size remaining” field returned by Font_SwitchOutputToBuffer at [R1,#4] contains a very incorrect value.