Title: [142365] trunk
- Revision
- 142365
- Author
- [email protected]
- Date
- 2013-02-09 10:02:37 -0800 (Sat, 09 Feb 2013)
Log Message
Sanitize m_keyTimes for paced value animations
https://bugs.webkit.org/show_bug.cgi?id=108828
Reviewed by Dirk Schulze.
Source/WebCore:
SVG animations with calcMode=paced calculate new m_keyTimes in
SVGAnimationElement::calculateKeyTimesForCalcModePaced() because paced animations do not
specify keyTimes. If an error occurs while calculating m_keyTimes, and there exists
user-specified values, a crash could occur because the user-specified values were not
sanitized.
This change clears user-specified keyTimes before calculating new ones.
Test: svg/animations/animate-keytimes-crash.html
* svg/SVGAnimationElement.cpp:
(WebCore::SVGAnimationElement::calculateKeyTimesForCalcModePaced):
LayoutTests:
* svg/animations/animate-keytimes-crash-expected.html: Added.
* svg/animations/animate-keytimes-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (142364 => 142365)
--- trunk/LayoutTests/ChangeLog 2013-02-09 17:54:42 UTC (rev 142364)
+++ trunk/LayoutTests/ChangeLog 2013-02-09 18:02:37 UTC (rev 142365)
@@ -1,3 +1,13 @@
+2013-02-09 Philip Rogers <[email protected]>
+
+ Sanitize m_keyTimes for paced value animations
+ https://bugs.webkit.org/show_bug.cgi?id=108828
+
+ Reviewed by Dirk Schulze.
+
+ * svg/animations/animate-keytimes-crash-expected.html: Added.
+ * svg/animations/animate-keytimes-crash.html: Added.
+
2013-02-09 Stephen Chenney <[email protected]>
[Chromium] Trying to turn the build.webkit.org builders greener
Added: trunk/LayoutTests/svg/animations/animate-keytimes-crash-expected.html (0 => 142365)
--- trunk/LayoutTests/svg/animations/animate-keytimes-crash-expected.html (rev 0)
+++ trunk/LayoutTests/svg/animations/animate-keytimes-crash-expected.html 2013-02-09 18:02:37 UTC (rev 142365)
@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<html>
+Test for WK108828: This test passes if it does not crash.
+<svg id="svg" xmlns="http://www.w3.org/2000/svg" width="500" height="500">
+ <rect x="0" y="0" width="100" height="100" fill="green"/>
+</svg>
+</html>
+
Added: trunk/LayoutTests/svg/animations/animate-keytimes-crash.html (0 => 142365)
--- trunk/LayoutTests/svg/animations/animate-keytimes-crash.html (rev 0)
+++ trunk/LayoutTests/svg/animations/animate-keytimes-crash.html 2013-02-09 18:02:37 UTC (rev 142365)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+Test for WK108828: This test passes if it does not crash.
+<svg id="svg" xmlns="http://www.w3.org/2000/svg" width="500" height="500">
+ <!-- animateMotion with invalid keyTimes. -->
+ <rect x="0" y="0" width="100" height="100" fill="green">
+ <animateMotion keyTimes="0; 0.5; 0.5; 0.5; 1" values="M 0 0 Z; M 0 0 Z"/>
+ </rect>
+</svg>
+<script>
+ if (window.testRunner())
+ testRunner.waitUntilDone();
+
+ setTimeout(function() {
+ var svg = document.getElementById('svg');
+ svg.pauseAnimations();
+ svg.setCurrentTime(10);
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }, 1);
+</script>
+</html>
+
Modified: trunk/Source/WebCore/ChangeLog (142364 => 142365)
--- trunk/Source/WebCore/ChangeLog 2013-02-09 17:54:42 UTC (rev 142364)
+++ trunk/Source/WebCore/ChangeLog 2013-02-09 18:02:37 UTC (rev 142365)
@@ -1,3 +1,23 @@
+2013-02-09 Philip Rogers <[email protected]>
+
+ Sanitize m_keyTimes for paced value animations
+ https://bugs.webkit.org/show_bug.cgi?id=108828
+
+ Reviewed by Dirk Schulze.
+
+ SVG animations with calcMode=paced calculate new m_keyTimes in
+ SVGAnimationElement::calculateKeyTimesForCalcModePaced() because paced animations do not
+ specify keyTimes. If an error occurs while calculating m_keyTimes, and there exists
+ user-specified values, a crash could occur because the user-specified values were not
+ sanitized.
+
+ This change clears user-specified keyTimes before calculating new ones.
+
+ Test: svg/animations/animate-keytimes-crash.html
+
+ * svg/SVGAnimationElement.cpp:
+ (WebCore::SVGAnimationElement::calculateKeyTimesForCalcModePaced):
+
2013-02-09 Eric Seidel <[email protected]>
Fix TextDocumentParser to play nice with threading
Modified: trunk/Source/WebCore/svg/SVGAnimationElement.cpp (142364 => 142365)
--- trunk/Source/WebCore/svg/SVGAnimationElement.cpp 2013-02-09 17:54:42 UTC (rev 142364)
+++ trunk/Source/WebCore/svg/SVGAnimationElement.cpp 2013-02-09 18:02:37 UTC (rev 142365)
@@ -385,6 +385,10 @@
ASSERT(valuesCount >= 1);
if (valuesCount == 1)
return;
+
+ // FIXME, webkit.org/b/109010: m_keyTimes should not be modified in this function.
+ m_keyTimes.clear();
+
Vector<float> keyTimesForPaced;
float totalDistance = 0;
keyTimesForPaced.append(0);
@@ -405,7 +409,7 @@
keyTimesForPaced[keyTimesForPaced.size() - 1] = 1;
// Use key times calculated based on pacing instead of the user provided ones.
- m_keyTimes.swap(keyTimesForPaced);
+ m_keyTimes = keyTimesForPaced;
}
static inline double solveEpsilon(double duration) { return 1 / (200 * duration); }
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
