[webkit-changes] [172496] trunk

Tue, 12 Aug 2014 15:31:25 -0700

Title: [172496] trunk
Revision
172496
Author
[email protected]
Date
2014-08-12 15:30:32 -0700 (Tue, 12 Aug 2014)

Log Message

Make sure that begin time cannot be greater than SMILTime::indefiniteValue unintentionally.
https://bugs.webkit.org/show_bug.cgi?id=135838

Patch by Renata Hodovan <[email protected]> on 2014-08-12
Reviewed by Darin Adler.

Source/WebCore:

When WebCore::SVGSMILElement::resolveInterval creates a SMILTime begin
node for a SMILInterval, then it only checks if the value of begin is
indefinite or unresolved but misses the case if it is between these two
reference values.

This is a backport of my fix in Blink: https://codereview.chromium.org/406263002/.

Test: svg/animations/animateMotion-crash-with-large-begin-time.html

* svg/animation/SVGSMILElement.cpp:
(WebCore::SVGSMILElement::parseOffsetValue):
(WebCore::SVGSMILElement::parseClockValue):

LayoutTests:

* svg/animations/animateMotion-crash-with-large-begin-time-expected.txt: Added.
* svg/animations/animateMotion-crash-with-large-begin-time.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (172495 => 172496)


--- trunk/LayoutTests/ChangeLog	2014-08-12 21:59:26 UTC (rev 172495)
+++ trunk/LayoutTests/ChangeLog	2014-08-12 22:30:32 UTC (rev 172496)
@@ -1,3 +1,13 @@
+2014-08-12  Renata Hodovan  <[email protected]>
+
+        Make sure that begin time cannot be greater than SMILTime::indefiniteValue unintentionally.
+        https://bugs.webkit.org/show_bug.cgi?id=135838
+
+        Reviewed by Darin Adler.
+
+        * svg/animations/animateMotion-crash-with-large-begin-time-expected.txt: Added.
+        * svg/animations/animateMotion-crash-with-large-begin-time.html: Added.
+
 2014-08-12  Antti Koivisto  <[email protected]>
 
         Don't recurse into non-rendered subtrees when computing style

Added: trunk/LayoutTests/svg/animations/animateMotion-crash-with-large-begin-time-expected.txt (0 => 172496)


--- trunk/LayoutTests/svg/animations/animateMotion-crash-with-large-begin-time-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/svg/animations/animateMotion-crash-with-large-begin-time-expected.txt	2014-08-12 22:30:32 UTC (rev 172496)
@@ -0,0 +1 @@
+PASS if WebKit does not crash in debug.

Added: trunk/LayoutTests/svg/animations/animateMotion-crash-with-large-begin-time.html (0 => 172496)


--- trunk/LayoutTests/svg/animations/animateMotion-crash-with-large-begin-time.html	                        (rev 0)
+++ trunk/LayoutTests/svg/animations/animateMotion-crash-with-large-begin-time.html	2014-08-12 22:30:32 UTC (rev 172496)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<svg xmlns="http://www.w3.org/2000/svg">
+    <animateMotion begin="689328207834365109403786593332753148024s"/>
+</svg>
+<p>PASS if WebKit does not crash in debug.</p>
+<script>
+if (window.testRunner) {
+    testRunner.waitUntilDone();
+    testRunner.dumpAsText();
+
+    window._onload_ = function() {
+        testRunner.notifyDone();
+    };
+}
+</script>

Modified: trunk/Source/WebCore/ChangeLog (172495 => 172496)


--- trunk/Source/WebCore/ChangeLog	2014-08-12 21:59:26 UTC (rev 172495)
+++ trunk/Source/WebCore/ChangeLog	2014-08-12 22:30:32 UTC (rev 172496)
@@ -1,3 +1,23 @@
+2014-08-12  Renata Hodovan  <[email protected]>
+
+        Make sure that begin time cannot be greater than SMILTime::indefiniteValue unintentionally.
+        https://bugs.webkit.org/show_bug.cgi?id=135838
+
+        Reviewed by Darin Adler.
+
+        When WebCore::SVGSMILElement::resolveInterval creates a SMILTime begin
+        node for a SMILInterval, then it only checks if the value of begin is
+        indefinite or unresolved but misses the case if it is between these two
+        reference values.
+
+        This is a backport of my fix in Blink: https://codereview.chromium.org/406263002/.
+
+        Test: svg/animations/animateMotion-crash-with-large-begin-time.html
+
+        * svg/animation/SVGSMILElement.cpp:
+        (WebCore::SVGSMILElement::parseOffsetValue):
+        (WebCore::SVGSMILElement::parseClockValue):
+
 2014-08-12  Andy Estes  <[email protected]>
 
         Revert a change that wasn't meant to be a part of r172482.

Modified: trunk/Source/WebCore/svg/animation/SVGSMILElement.cpp (172495 => 172496)


--- trunk/Source/WebCore/svg/animation/SVGSMILElement.cpp	2014-08-12 21:59:26 UTC (rev 172495)
+++ trunk/Source/WebCore/svg/animation/SVGSMILElement.cpp	2014-08-12 22:30:32 UTC (rev 172496)
@@ -305,7 +305,7 @@
         result = parse.left(parse.length() - 1).toDouble(&ok);
     else
         result = parse.toDouble(&ok);
-    if (!ok)
+    if (!ok || !SMILTime(result).isFinite())
         return SMILTime::unresolved();
     return result;
 }
@@ -341,7 +341,7 @@
     } else
         return parseOffsetValue(parse);
 
-    if (!ok)
+    if (!ok || !SMILTime(result).isFinite())
         return SMILTime::unresolved();
     return result;
 }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to