Diff
Modified: trunk/LayoutTests/ChangeLog (93476 => 93477)
--- trunk/LayoutTests/ChangeLog 2011-08-20 06:32:08 UTC (rev 93476)
+++ trunk/LayoutTests/ChangeLog 2011-08-20 07:30:57 UTC (rev 93477)
@@ -1,3 +1,15 @@
+2011-08-20 Ken Buchanan <[email protected]>
+
+ OOB Read in WebCore::SVGAnimationElement
+ https://bugs.webkit.org/show_bug.cgi?id=65858
+
+ Reviewed by Nikolas Zimmermann.
+
+ Added test case covering keySpline array length problem.
+
+ * svg/animations/animate-calcMode-spline-crash-bad-array-length-expected.txt: Added.
+ * svg/animations/animate-calcMode-spline-crash-bad-array-length.xhtml: Added.
+
2011-08-19 Sheriff Bot <[email protected]>
Unreviewed, rolling out r93415.
Property changes on: trunk/LayoutTests/ChangeLog
___________________________________________________________________
Added: svn:executable
Added: trunk/LayoutTests/svg/animations/animate-calcMode-spline-crash-bad-array-length-expected.txt (0 => 93477)
--- trunk/LayoutTests/svg/animations/animate-calcMode-spline-crash-bad-array-length-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/animations/animate-calcMode-spline-crash-bad-array-length-expected.txt 2011-08-20 07:30:57 UTC (rev 93477)
@@ -0,0 +1 @@
+PASS, if DumpRenderTree doesn't crash, and no assertion in a Debug build.
Property changes on: trunk/LayoutTests/svg/animations/animate-calcMode-spline-crash-bad-array-length-expected.txt
___________________________________________________________________
Added: svn:executable
Added: trunk/LayoutTests/svg/animations/animate-calcMode-spline-crash-bad-array-length.xhtml (0 => 93477)
--- trunk/LayoutTests/svg/animations/animate-calcMode-spline-crash-bad-array-length.xhtml (rev 0)
+++ trunk/LayoutTests/svg/animations/animate-calcMode-spline-crash-bad-array-length.xhtml 2011-08-20 07:30:57 UTC (rev 93477)
@@ -0,0 +1,30 @@
+<html xmlns="http://www.w3.org/1999/xhtml">
+ <body>
+ <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+ <path
+ d="m 65.912454,142.33657 c 32.971728,0.47546 54.353006,2.31459 71.732026,10.88083 17.37902,8.56625 34.29132,22.84947 51.25404,50.23341 13.77183,26.13619 16.30585,56.55141 24.4592,84.76493 10.69173,38.71495 20.90606,82.87651 67.29492,88.93182 41.52078,0.3788 52.41155,-41.57971 59.06828,-62.96039 6.46861,-20.7765 10.67334,-53.22798 17.38318,-74.37414 13.10483,-41.30006 19.81437,-45.96631 29.91229,-57.75202"
+ id="path_a"
+ style="fill:none;stroke:none;stroke-width:0.2;marker-mid:none;marker-end:none" />
+
+ <circle id="mycircle" cx="0" cy="0" r="12" >
+ <animateMotion id="A" dur="2s" keyTimes="0; 0.6; 1"
+ calcMode="spline" keySplines="1 0 1 0;0 1 0 1;"
+ repeatCount="1" rotate="auto" fill="freeze">
+ <mpath xlink:href="" />
+ </animateMotion>
+ </circle>
+ </svg>
+ <script>
+ if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+ }
+ setTimeout(function () {
+ document.body.innerHTML = "PASS, if DumpRenderTree doesn't crash, and no assertion in a Debug build.";
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }, 0);
+
+ </script>
+ </body>
+</html>
Property changes on: trunk/LayoutTests/svg/animations/animate-calcMode-spline-crash-bad-array-length.xhtml
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/ChangeLog (93476 => 93477)
--- trunk/Source/WebCore/ChangeLog 2011-08-20 06:32:08 UTC (rev 93476)
+++ trunk/Source/WebCore/ChangeLog 2011-08-20 07:30:57 UTC (rev 93477)
@@ -1,3 +1,18 @@
+2011-08-20 Ken Buchanan <[email protected]>
+
+ OOB Read in WebCore::SVGAnimationElement
+ https://bugs.webkit.org/show_bug.cgi?id=65858
+
+ Reviewed by Nikolas Zimmermann.
+
+ Potential crash resulting from incorrect keySpline array lengths. This fix validates the length in startedActiveInterval.
+
+ Test: svg/animations/animate-calcMode-spline-crash-bad-array-length.xhtml
+
+ * svg/SVGAnimationElement.cpp:
+ (WebCore::SVGAnimationElement::parseMappedAttribute):
+ (WebCore::SVGAnimationElement::calculateKeyTimesIndex):
+
2011-08-19 Sheriff Bot <[email protected]>
Unreviewed, rolling out r93415.
Property changes on: trunk/Source/WebCore/ChangeLog
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/svg/SVGAnimationElement.cpp (93476 => 93477)
--- trunk/Source/WebCore/svg/SVGAnimationElement.cpp 2011-08-20 06:32:08 UTC (rev 93476)
+++ trunk/Source/WebCore/svg/SVGAnimationElement.cpp 2011-08-20 07:30:57 UTC (rev 93477)
@@ -413,7 +413,10 @@
{
unsigned index;
unsigned keyTimesCount = m_keyTimes.size();
- for (index = 1; index < keyTimesCount; ++index) {
+ // Compare index + 1 to keyTimesCount because the last keyTimes entry is
+ // required to be 1, and percent can never exceed 1; i.e., the second last
+ // keyTimes entry defines the beginning of the final interval
+ for (index = 1; index + 1 < keyTimesCount; ++index) {
if (m_keyTimes[index] > percent)
break;
}
@@ -551,7 +554,8 @@
if (calcMode == CalcModeSpline) {
unsigned splinesCount = m_keySplines.size() + 1;
if ((fastHasAttribute(SVGNames::keyPointsAttr) && m_keyPoints.size() != splinesCount)
- || (animationMode == ValuesAnimation && m_values.size() != splinesCount))
+ || (animationMode == ValuesAnimation && m_values.size() != splinesCount)
+ || (fastHasAttribute(SVGNames::keyTimesAttr) && m_keyTimes.size() != splinesCount))
return;
}
