[webkit-changes] [146515] trunk

Thu, 21 Mar 2013 13:55:41 -0700

Title: [146515] trunk
Revision
146515
Author
[email protected]
Date
2013-03-21 13:57:35 -0700 (Thu, 21 Mar 2013)

Log Message

SVG text path referencing parent text infinite loops
https://bugs.webkit.org/show_bug.cgi?id=112078

Reviewed by Philip Rogers.

Source/WebCore:

We do not check the target type when adding a resource reference for
SVG Text Path's URI. This goes horribly wrong when the target is the
text path's parent text element. In this patch we check that the target
element of the text path is indeed a path element, as the spec
requires. No other element type is allowed.

Note that RenderSVGTextPath enforces this check in the renderer code
also, so if we get past this check via pending resources, it doesn't
matter. You can't get into this situation with a pending reference
because, by definition, the parent must be defined before the text
path child.

Test: svg/text/textpath-referencing-text-crash.svg

* svg/SVGTextPathElement.cpp:
(WebCore::SVGTextPathElement::buildPendingResource):

LayoutTests:

* svg/text/textpath-referencing-text-crash-expected.txt: Added.
* svg/text/textpath-referencing-text-crash.svg: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (146514 => 146515)


--- trunk/LayoutTests/ChangeLog	2013-03-21 20:56:16 UTC (rev 146514)
+++ trunk/LayoutTests/ChangeLog	2013-03-21 20:57:35 UTC (rev 146515)
@@ -1,3 +1,13 @@
+2013-03-21  Stephen Chenney  <[email protected]>
+
+        SVG text path referencing parent text infinite loops
+        https://bugs.webkit.org/show_bug.cgi?id=112078
+
+        Reviewed by Philip Rogers.
+
+        * svg/text/textpath-referencing-text-crash-expected.txt: Added.
+        * svg/text/textpath-referencing-text-crash.svg: Added.
+
 2013-03-21  Philip Rogers  <[email protected]>
 
         Correct bisector angle calculation for markers

Added: trunk/LayoutTests/svg/text/textpath-referencing-text-crash-expected.txt (0 => 146515)


--- trunk/LayoutTests/svg/text/textpath-referencing-text-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/svg/text/textpath-referencing-text-crash-expected.txt	2013-03-21 20:57:35 UTC (rev 146515)
@@ -0,0 +1 @@
+Test Passes if there is no crash. See bug https://bugs.webkit.org/show_bug.cgi?id=112078.

Added: trunk/LayoutTests/svg/text/textpath-referencing-text-crash.svg (0 => 146515)


--- trunk/LayoutTests/svg/text/textpath-referencing-text-crash.svg	                        (rev 0)
+++ trunk/LayoutTests/svg/text/textpath-referencing-text-crash.svg	2013-03-21 20:57:35 UTC (rev 146515)
@@ -0,0 +1,10 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+  <text id="a" font-size="0">
+    <textPath xlink:href=""
+  </text>
+  <text>Test Passes if there is no crash. See bug https://bugs.webkit.org/show_bug.cgi?id=112078.</text>
+  <script>
+    if (window.testRunner)
+      testRunner.dumpAsText();
+  </script>
+</svg>

Modified: trunk/Source/WebCore/ChangeLog (146514 => 146515)


--- trunk/Source/WebCore/ChangeLog	2013-03-21 20:56:16 UTC (rev 146514)
+++ trunk/Source/WebCore/ChangeLog	2013-03-21 20:57:35 UTC (rev 146515)
@@ -1,3 +1,27 @@
+2013-03-21  Stephen Chenney  <[email protected]>
+
+        SVG text path referencing parent text infinite loops
+        https://bugs.webkit.org/show_bug.cgi?id=112078
+
+        Reviewed by Philip Rogers.
+
+        We do not check the target type when adding a resource reference for
+        SVG Text Path's URI. This goes horribly wrong when the target is the
+        text path's parent text element. In this patch we check that the target
+        element of the text path is indeed a path element, as the spec
+        requires. No other element type is allowed.
+
+        Note that RenderSVGTextPath enforces this check in the renderer code
+        also, so if we get past this check via pending resources, it doesn't
+        matter. You can't get into this situation with a pending reference
+        because, by definition, the parent must be defined before the text
+        path child.
+
+        Test: svg/text/textpath-referencing-text-crash.svg
+
+        * svg/SVGTextPathElement.cpp:
+        (WebCore::SVGTextPathElement::buildPendingResource):
+
 2013-03-21  Joshua Bell  <[email protected]>
 
         IndexedDB: Remove onVersionChange(string) plumbing

Modified: trunk/Source/WebCore/svg/SVGTextPathElement.cpp (146514 => 146515)


--- trunk/Source/WebCore/svg/SVGTextPathElement.cpp	2013-03-21 20:56:16 UTC (rev 146514)
+++ trunk/Source/WebCore/svg/SVGTextPathElement.cpp	2013-03-21 20:57:35 UTC (rev 146515)
@@ -171,7 +171,7 @@
             document()->accessSVGExtensions()->addPendingResource(id, this);
             ASSERT(hasPendingResources());
         }
-    } else if (target->isSVGElement()) {
+    } else if (target->hasTagName(SVGNames::pathTag)) {
         // Register us with the target in the dependencies map. Any change of hrefElement
         // that leads to relayout/repainting now informs us, so we can react to it.
         document()->accessSVGExtensions()->addElementReferencingTarget(this, toSVGElement(target));

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to