[webkit-changes] [164933] trunk

Sat, 01 Mar 2014 16:16:23 -0800

Title: [164933] trunk
Revision
164933
Author
[email protected]
Date
2014-03-01 16:20:58 -0800 (Sat, 01 Mar 2014)

Log Message

Ensure keySplines is valid in SMIL animations
<http://webkit.org/b/129547>
<rdar://problem/15676128>

Reviewed by Darin Adler.

Merged from Blink (patch by Philip Rogers):
https://src.chromium.org/viewvc/blink?revision=156452&view=revision
http://crbug.com/276111

    This patch fixes a crash in SMIL animations when keySplines are not
    specified. The SMIL spec is clear on this:
    http://www.w3.org/TR/2001/REC-smil-animation-20010904/#AnimFuncCalcMode
    "If there are any errors in the keyTimes specification (bad values,
    too many or too few values), the animation will have no effect."

    This patch simply checks that keyTimes is not empty. Previously,
    splinesCount was set to be m_keySplines.size() + 1 in
    SVGAnimationElement.cpp; this patch changes splinesCount to be equal
    to m_keySplines.size() to make the logic easier to follow and to
    match other checks in SVGAnimationElement::startedActiveInterval.

Source/WebCore:

Test: svg/animations/animate-keysplines-crash.html

* svg/SVGAnimationElement.cpp:
(WebCore::SVGAnimationElement::startedActiveInterval):

LayoutTests:

* svg/animations/animate-keysplines-crash-expected.txt: Added.
* svg/animations/animate-keysplines-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (164932 => 164933)


--- trunk/LayoutTests/ChangeLog	2014-03-01 23:50:17 UTC (rev 164932)
+++ trunk/LayoutTests/ChangeLog	2014-03-02 00:20:58 UTC (rev 164933)
@@ -1,3 +1,30 @@
+2014-03-01  David Kilzer  <[email protected]>
+
+        Ensure keySplines is valid in SMIL animations
+        <http://webkit.org/b/129547>
+        <rdar://problem/15676128>
+
+        Reviewed by Darin Adler.
+
+        Merged from Blink (patch by Philip Rogers):
+        https://src.chromium.org/viewvc/blink?revision=156452&view=revision
+        http://crbug.com/276111
+
+            This patch fixes a crash in SMIL animations when keySplines are not
+            specified. The SMIL spec is clear on this:
+            http://www.w3.org/TR/2001/REC-smil-animation-20010904/#AnimFuncCalcMode
+            "If there are any errors in the keyTimes specification (bad values,
+            too many or too few values), the animation will have no effect."
+
+            This patch simply checks that keyTimes is not empty. Previously,
+            splinesCount was set to be m_keySplines.size() + 1 in
+            SVGAnimationElement.cpp; this patch changes splinesCount to be equal
+            to m_keySplines.size() to make the logic easier to follow and to
+            match other checks in SVGAnimationElement::startedActiveInterval.
+
+        * svg/animations/animate-keysplines-crash-expected.txt: Added.
+        * svg/animations/animate-keysplines-crash.html: Added.
+
 2014-03-01  Benjamin Poulain  <[email protected]>
 
         Tighten minimumRegisterRequirements()

Added: trunk/LayoutTests/svg/animations/animate-keysplines-crash-expected.txt (0 => 164933)


--- trunk/LayoutTests/svg/animations/animate-keysplines-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/svg/animations/animate-keysplines-crash-expected.txt	2014-03-02 00:20:58 UTC (rev 164933)
@@ -0,0 +1 @@
+PASS

Added: trunk/LayoutTests/svg/animations/animate-keysplines-crash.html (0 => 164933)


--- trunk/LayoutTests/svg/animations/animate-keysplines-crash.html	                        (rev 0)
+++ trunk/LayoutTests/svg/animations/animate-keysplines-crash.html	2014-03-02 00:20:58 UTC (rev 164933)
@@ -0,0 +1,28 @@
+<!DOCTYPE HTML>
+<html>
+<body>
+Test for crbug.com/276111: This test passes if it does not crash.
+<svg xmlns="http://www.w3.org/2000/svg">
+  <rect>
+      <animateMotion path="M 1 2Z" id="animateMotionElement" calcMode="spline" values="M 1 2Z; M3 4Z"/>
+  </rect>
+</svg>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+function removePathAndFinishTest() {
+    animateMotionElement.removeAttribute('path');
+    setTimeout(function() {
+        document.write("PASS");
+        if (window.testRunner)
+            testRunner.notifyDone();
+    }, 0);
+}
+
+setTimeout('removePathAndFinishTest()', 0);
+</script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (164932 => 164933)


--- trunk/Source/WebCore/ChangeLog	2014-03-01 23:50:17 UTC (rev 164932)
+++ trunk/Source/WebCore/ChangeLog	2014-03-02 00:20:58 UTC (rev 164933)
@@ -1,3 +1,32 @@
+2014-03-01  David Kilzer  <[email protected]>
+
+        Ensure keySplines is valid in SMIL animations
+        <http://webkit.org/b/129547>
+        <rdar://problem/15676128>
+
+        Reviewed by Darin Adler.
+
+        Merged from Blink (patch by Philip Rogers):
+        https://src.chromium.org/viewvc/blink?revision=156452&view=revision
+        http://crbug.com/276111
+
+            This patch fixes a crash in SMIL animations when keySplines are not
+            specified. The SMIL spec is clear on this:
+            http://www.w3.org/TR/2001/REC-smil-animation-20010904/#AnimFuncCalcMode
+            "If there are any errors in the keyTimes specification (bad values,
+            too many or too few values), the animation will have no effect."
+
+            This patch simply checks that keyTimes is not empty. Previously,
+            splinesCount was set to be m_keySplines.size() + 1 in
+            SVGAnimationElement.cpp; this patch changes splinesCount to be equal
+            to m_keySplines.size() to make the logic easier to follow and to
+            match other checks in SVGAnimationElement::startedActiveInterval.
+
+        Test: svg/animations/animate-keysplines-crash.html
+
+        * svg/SVGAnimationElement.cpp:
+        (WebCore::SVGAnimationElement::startedActiveInterval):
+
 2014-03-01  Benjamin Poulain  <[email protected]>
 
         Tighten minimumRegisterRequirements()

Modified: trunk/Source/WebCore/svg/SVGAnimationElement.cpp (164932 => 164933)


--- trunk/Source/WebCore/svg/SVGAnimationElement.cpp	2014-03-01 23:50:17 UTC (rev 164932)
+++ trunk/Source/WebCore/svg/SVGAnimationElement.cpp	2014-03-02 00:20:58 UTC (rev 164933)
@@ -558,10 +558,11 @@
     AnimationMode animationMode = this->animationMode();
     CalcMode calcMode = this->calcMode();
     if (calcMode == CalcModeSpline) {
-        unsigned splinesCount = m_keySplines.size() + 1;
-        if ((fastHasAttribute(SVGNames::keyPointsAttr) && m_keyPoints.size() != splinesCount)
-            || (animationMode == ValuesAnimation && m_values.size() != splinesCount)
-            || (fastHasAttribute(SVGNames::keyTimesAttr) && m_keyTimes.size() != splinesCount))
+        unsigned splinesCount = m_keySplines.size();
+        if (!splinesCount
+            || (fastHasAttribute(SVGNames::keyPointsAttr) && m_keyPoints.size() - 1 != splinesCount)
+            || (animationMode == ValuesAnimation && m_values.size() - 1 != splinesCount)
+            || (fastHasAttribute(SVGNames::keyTimesAttr) && m_keyTimes.size() - 1 != splinesCount))
             return;
     }
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to