libdraw, libframe, acme: fix, guard against inverted range in textsetselect

Credit to Roi Martin <jroi.martin@gmail.com> for noticing that
libdraw was being passed a negative string length and for finding the
sequence of keystrokes that make acme do it reproducibly.

Change-Id: If3f3d04a25c506175f740d3e887d5d83b5cd1bfe
Reviewed-on: https://plan9port-review.googlesource.com/1092
Reviewed-by: Russ Cox <rsc@swtch.com>

src/cmd/acme/text.c

@@ -819,8 +819,12 @@ texttype(Text *t, Rune r)
 		nr = runestrlen(rp);
 		break;	/* fall through to normal insertion case */
 	case 0x1B:
-		if(t->eq0 != ~0)
-			textsetselect(t, t->eq0, t->q0);
+		if(t->eq0 != ~0) {
+			if(t->eq0 <= t->q0)
+				textsetselect(t, t->eq0, t->q0);
+			else
+				textsetselect(t, t->q0, t->eq0);
+		}
 		if(t->ncache > 0)
 			typecommit(t);
 		t->iq1 = t->q0;
@@ -1173,7 +1177,7 @@ void
 textsetselect(Text *t, uint q0, uint q1)
 {
 	int p0, p1, ticked;
-
+	
 	/* t->fr.p0 and t->fr.p1 are always right; t->q0 and t->q1 may be off */
 	t->q0 = q0;
 	t->q1 = q1;
@@ -1198,6 +1202,8 @@ textsetselect(Text *t, uint q0, uint q1)
 			frtick(&t->fr, frptofchar(&t->fr, p0), ticked);
 		return;
 	}
+	if(p0 > p1)
+		sysfatal("acme: textsetselect p0=%d p1=%d q0=%ud q1=%ud t->org=%d nchars=%d", p0, p1, q0, q1, (int)t->org, (int)t->fr.nchars);
 	/* screen disagrees with desired selection */
 	if(t->fr.p1<=p0 || p1<=t->fr.p0 || p0==p1 || t->fr.p1==t->fr.p0){
 		/* no overlap or too easy to bother trying */

src/libdraw/string.c

@@ -67,6 +67,9 @@ _string(Image *dst, Point pt, Image *src, Point sp, Font *f, char *s, Rune *r, i
 	Font *def;
 	Subfont *sf;
 
+	if(len < 0)
+		sysfatal("libdraw: _string len=%d", len);
+
 	if(s == nil){
 		s = "";
 		sptr = nil;

src/libframe/frdraw.c

@@ -62,6 +62,9 @@ frdrawsel0(Frame *f, Point pt, ulong p0, ulong p1, Image *back, Image *text)
 	Point qt;
 	uint p;
 	char *ptr;
+	
+	if(p0 > p1)
+		sysfatal("libframe: frdrawsel0 p0=%lud > p1=%lud", p0, p1);
 
 	p = 0;
 	b = f->box;