Title: [145666] branches/safari-536.30-branch
- Revision
- 145666
- Author
- [email protected]
- Date
- 2013-03-12 18:45:39 -0700 (Tue, 12 Mar 2013)
Log Message
Merged r142365. <rdar://problem/13334965>
Modified Paths
Added Paths
Diff
Modified: branches/safari-536.30-branch/LayoutTests/ChangeLog (145665 => 145666)
--- branches/safari-536.30-branch/LayoutTests/ChangeLog 2013-03-13 01:43:45 UTC (rev 145665)
+++ branches/safari-536.30-branch/LayoutTests/ChangeLog 2013-03-13 01:45:39 UTC (rev 145666)
@@ -1,5 +1,19 @@
2013-03-12 Lucas Forschler <[email protected]>
+ Merge r142365
+
+ 2013-02-09 Philip Rogers <[email protected]>
+
+ Sanitize m_keyTimes for paced value animations
+ https://bugs.webkit.org/show_bug.cgi?id=108828
+
+ Reviewed by Dirk Schulze.
+
+ * svg/animations/animate-keytimes-crash-expected.html: Added.
+ * svg/animations/animate-keytimes-crash.html: Added.
+
+2013-03-12 Lucas Forschler <[email protected]>
+
Merge r142358
2013-02-09 Kent Tamura <[email protected]>
Copied: branches/safari-536.30-branch/LayoutTests/svg/animations/animate-keytimes-crash-expected.html (from rev 142365, trunk/LayoutTests/svg/animations/animate-keytimes-crash-expected.html) (0 => 145666)
--- branches/safari-536.30-branch/LayoutTests/svg/animations/animate-keytimes-crash-expected.html (rev 0)
+++ branches/safari-536.30-branch/LayoutTests/svg/animations/animate-keytimes-crash-expected.html 2013-03-13 01:45:39 UTC (rev 145666)
@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<html>
+Test for WK108828: This test passes if it does not crash.
+<svg id="svg" xmlns="http://www.w3.org/2000/svg" width="500" height="500">
+ <rect x="0" y="0" width="100" height="100" fill="green"/>
+</svg>
+</html>
+
Copied: branches/safari-536.30-branch/LayoutTests/svg/animations/animate-keytimes-crash.html (from rev 142365, trunk/LayoutTests/svg/animations/animate-keytimes-crash.html) (0 => 145666)
--- branches/safari-536.30-branch/LayoutTests/svg/animations/animate-keytimes-crash.html (rev 0)
+++ branches/safari-536.30-branch/LayoutTests/svg/animations/animate-keytimes-crash.html 2013-03-13 01:45:39 UTC (rev 145666)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+Test for WK108828: This test passes if it does not crash.
+<svg id="svg" xmlns="http://www.w3.org/2000/svg" width="500" height="500">
+ <!-- animateMotion with invalid keyTimes. -->
+ <rect x="0" y="0" width="100" height="100" fill="green">
+ <animateMotion keyTimes="0; 0.5; 0.5; 0.5; 1" values="M 0 0 Z; M 0 0 Z"/>
+ </rect>
+</svg>
+<script>
+ if (window.testRunner())
+ testRunner.waitUntilDone();
+
+ setTimeout(function() {
+ var svg = document.getElementById('svg');
+ svg.pauseAnimations();
+ svg.setCurrentTime(10);
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }, 1);
+</script>
+</html>
+
Modified: branches/safari-536.30-branch/Source/WebCore/ChangeLog (145665 => 145666)
--- branches/safari-536.30-branch/Source/WebCore/ChangeLog 2013-03-13 01:43:45 UTC (rev 145665)
+++ branches/safari-536.30-branch/Source/WebCore/ChangeLog 2013-03-13 01:45:39 UTC (rev 145666)
@@ -1,5 +1,29 @@
2013-03-12 Lucas Forschler <[email protected]>
+ Merge r142365
+
+ 2013-02-09 Philip Rogers <[email protected]>
+
+ Sanitize m_keyTimes for paced value animations
+ https://bugs.webkit.org/show_bug.cgi?id=108828
+
+ Reviewed by Dirk Schulze.
+
+ SVG animations with calcMode=paced calculate new m_keyTimes in
+ SVGAnimationElement::calculateKeyTimesForCalcModePaced() because paced animations do not
+ specify keyTimes. If an error occurs while calculating m_keyTimes, and there exists
+ user-specified values, a crash could occur because the user-specified values were not
+ sanitized.
+
+ This change clears user-specified keyTimes before calculating new ones.
+
+ Test: svg/animations/animate-keytimes-crash.html
+
+ * svg/SVGAnimationElement.cpp:
+ (WebCore::SVGAnimationElement::calculateKeyTimesForCalcModePaced):
+
+2013-03-12 Lucas Forschler <[email protected]>
+
Merge r142358
2013-02-09 Kent Tamura <[email protected]>
Modified: branches/safari-536.30-branch/Source/WebCore/svg/SVGAnimationElement.cpp (145665 => 145666)
--- branches/safari-536.30-branch/Source/WebCore/svg/SVGAnimationElement.cpp 2013-03-13 01:43:45 UTC (rev 145665)
+++ branches/safari-536.30-branch/Source/WebCore/svg/SVGAnimationElement.cpp 2013-03-13 01:45:39 UTC (rev 145666)
@@ -396,6 +396,10 @@
ASSERT(valuesCount >= 1);
if (valuesCount == 1)
return;
+
+ // FIXME, webkit.org/b/109010: m_keyTimes should not be modified in this function.
+ m_keyTimes.clear();
+
Vector<float> keyTimesForPaced;
float totalDistance = 0;
keyTimesForPaced.append(0);
@@ -416,7 +420,7 @@
keyTimesForPaced[keyTimesForPaced.size() - 1] = 1;
// Use key times calculated based on pacing instead of the user provided ones.
- m_keyTimes.swap(keyTimesForPaced);
+ m_keyTimes = keyTimesForPaced;
}
static inline double solveEpsilon(double duration) { return 1 / (200 * duration); }
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
