[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373
oliver at apple.com
oliver at apple.com
Thu Apr 8 00:13:42 UTC 2010
The following commit has been merged in the webkit-1.2 branch:
commit 33ea1761b074db64c608ace430dc2789d139fb8e
Author: oliver at apple.com <oliver at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Thu Dec 3 09:22:14 2009 +0000
NULL ptr in SVGPathSegList::getPathSegAtLength()
https://bugs.webkit.org/show_bug.cgi?id=30313
Reviewed by Maciej Stachowiak.
Add exception checks to SVGPathSegList's implementation to catch (and propagate) exceptions.
Add null checks to SVGList's content manipulation functions to prevent
null values from entering the list in the first place.
Test: svg/dom/svgpath-out-of-bounds-getPathSeg.html
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@51627 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 738fa0a..d166f7a 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2009-12-03 Oliver Hunt <oliver at apple.com>
+
+ Reviewed by Maciej Stachowiak.
+
+ NULL ptr in SVGPathSegList::getPathSegAtLength()
+ https://bugs.webkit.org/show_bug.cgi?id=30313
+
+ Add testcases for incorrect pathSeg usage.
+
+ * svg/dom/svgpath-out-of-bounds-getPathSeg-expected.txt: Added.
+ * svg/dom/svgpath-out-of-bounds-getPathSeg.html: Added.
+
2009-12-02 Shinichiro Hamaji <hamaji at chromium.org>
Reviewed by Darin Adler.
diff --git a/LayoutTests/svg/dom/svgpath-out-of-bounds-getPathSeg-expected.txt b/LayoutTests/svg/dom/svgpath-out-of-bounds-getPathSeg-expected.txt
new file mode 100644
index 0000000..7d5c151
--- /dev/null
+++ b/LayoutTests/svg/dom/svgpath-out-of-bounds-getPathSeg-expected.txt
@@ -0,0 +1,19 @@
+Tests that an exception is thrown if we try to get a pathSeg for a length out of the bounds of the path itself.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS path.pathSegList.initialize(); threw exception Error: TYPE_MISMATCH_ERR: DOM Exception 17.
+PASS path.getPathSegAtLength(0) is 0
+PASS path.insertItemBefore(null, 0) threw exception TypeError: Result of expression 'path.insertItemBefore' [undefined] is not a function..
+PASS path.replaceItem(null, 0) threw exception TypeError: Result of expression 'path.replaceItem' [undefined] is not a function..
+PASS path.appendItem(null) threw exception TypeError: Result of expression 'path.appendItem' [undefined] is not a function..
+List correctly initialised.
+PASS path.getPathSegAtLength(0) is 0
+PASS path.insertItemBefore(null, 0) threw exception TypeError: Result of expression 'path.insertItemBefore' [undefined] is not a function..
+PASS path.replaceItem(null, 0) threw exception TypeError: Result of expression 'path.replaceItem' [undefined] is not a function..
+PASS path.appendItem(null) threw exception TypeError: Result of expression 'path.appendItem' [undefined] is not a function..
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/svg/dom/svgpath-out-of-bounds-getPathSeg.html b/LayoutTests/svg/dom/svgpath-out-of-bounds-getPathSeg.html
new file mode 100644
index 0000000..cf2aa67
--- /dev/null
+++ b/LayoutTests/svg/dom/svgpath-out-of-bounds-getPathSeg.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<head>
+<link rel="stylesheet" href="../../fast/js/resources/js-test-style.css">
+<script src="../../fast/js/resources/js-test-pre.js"></script>
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script>
+ description("Tests that an exception is thrown if we try to get a pathSeg for a length out of the bounds of the path itself.");
+ path = document.createElementNS("http://www.w3.org/2000/svg", "path");
+ shouldThrow("path.pathSegList.initialize();");
+ shouldBe("path.getPathSegAtLength(0)", '0');
+ shouldThrow("path.insertItemBefore(null, 0)");
+ shouldThrow("path.replaceItem(null, 0)");
+ shouldThrow("path.appendItem(null)");
+ path.pathSegList.initialize(path.createSVGPathSegClosePath());
+ debug("List correctly initialised.");
+ shouldBe("path.getPathSegAtLength(0)", '0');
+ shouldThrow("path.insertItemBefore(null, 0)");
+ shouldThrow("path.replaceItem(null, 0)");
+ shouldThrow("path.appendItem(null)");
+
+ successfullyParsed = true;
+</script>
+<script src="../../fast/js/resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index c72b3be..5bd5164 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,31 @@
+2009-12-03 Oliver Hunt <oliver at apple.com>
+
+ Reviewed by Maciej Stachowiak.
+
+ NULL ptr in SVGPathSegList::getPathSegAtLength()
+ https://bugs.webkit.org/show_bug.cgi?id=30313
+
+ Add exception checks to SVGPathSegList's implementation to catch (and propagate) exceptions.
+ Add null checks to SVGList's content manipulation functions to prevent
+ null values from entering the list in the first place.
+
+ Test: svg/dom/svgpath-out-of-bounds-getPathSeg.html
+
+ * svg/SVGList.h:
+ (WebCore::SVGList::initialize):
+ (WebCore::SVGList::insertItemBefore):
+ (WebCore::SVGList::replaceItem):
+ (WebCore::SVGList::appendItem):
+ * svg/SVGPathElement.cpp:
+ (WebCore::SVGPathElement::getPathSegAtLength):
+ * svg/SVGPathElement.h:
+ * svg/SVGPathElement.idl:
+ * svg/SVGPathSegList.cpp:
+ (WebCore::SVGPathSegList::getPathSegAtLength):
+ (WebCore::SVGPathSegList::toPathData):
+ (WebCore::SVGPathSegList::createAnimated):
+ * svg/SVGPathSegList.h:
+
2009-12-02 Yusuke Sato <yusukes at chromium.org>
Reviewed by Eric Seidel.
diff --git a/WebCore/svg/SVGList.h b/WebCore/svg/SVGList.h
index b1dfba1..6a3e7ad 100644
--- a/WebCore/svg/SVGList.h
+++ b/WebCore/svg/SVGList.h
@@ -56,6 +56,10 @@ namespace WebCore {
Item initialize(Item newItem, ExceptionCode& ec)
{
+ if (!newItem) {
+ ec = TYPE_MISMATCH_ERR;
+ return TypeOperations::nullItem();
+ }
clear(ec);
return appendItem(newItem, ec);
}
@@ -92,8 +96,13 @@ namespace WebCore {
return m_vector[index];
}
- Item insertItemBefore(Item newItem, unsigned int index, ExceptionCode&)
+ Item insertItemBefore(Item newItem, unsigned int index, ExceptionCode& ec)
{
+ if (!newItem) {
+ ec = TYPE_MISMATCH_ERR;
+ return TypeOperations::nullItem();
+ }
+
if (index < m_vector.size()) {
m_vector.insert(index, newItem);
} else {
@@ -108,6 +117,11 @@ namespace WebCore {
ec = INDEX_SIZE_ERR;
return TypeOperations::nullItem();
}
+
+ if (!newItem) {
+ ec = TYPE_MISMATCH_ERR;
+ return TypeOperations::nullItem();
+ }
m_vector[index] = newItem;
return newItem;
@@ -125,8 +139,13 @@ namespace WebCore {
return item;
}
- Item appendItem(Item newItem, ExceptionCode&)
+ Item appendItem(Item newItem, ExceptionCode& ec)
{
+ if (!newItem) {
+ ec = TYPE_MISMATCH_ERR;
+ return TypeOperations::nullItem();
+ }
+
m_vector.append(newItem);
return newItem;
}
diff --git a/WebCore/svg/SVGPathElement.cpp b/WebCore/svg/SVGPathElement.cpp
index 651149e..d53fbb2 100644
--- a/WebCore/svg/SVGPathElement.cpp
+++ b/WebCore/svg/SVGPathElement.cpp
@@ -69,9 +69,9 @@ FloatPoint SVGPathElement::getPointAtLength(float length)
return toPathData().pointAtLength(length, ok);
}
-unsigned long SVGPathElement::getPathSegAtLength(float length)
+unsigned long SVGPathElement::getPathSegAtLength(float length, ExceptionCode& ec)
{
- return pathSegList()->getPathSegAtLength(length);
+ return pathSegList()->getPathSegAtLength(length, ec);
}
PassRefPtr<SVGPathSegClosePath> SVGPathElement::createSVGPathSegClosePath()
diff --git a/WebCore/svg/SVGPathElement.h b/WebCore/svg/SVGPathElement.h
index 7ea010b..266bfdd 100644
--- a/WebCore/svg/SVGPathElement.h
+++ b/WebCore/svg/SVGPathElement.h
@@ -62,7 +62,7 @@ namespace WebCore {
virtual bool isValid() const { return SVGTests::isValid(); }
float getTotalLength();
FloatPoint getPointAtLength(float distance);
- unsigned long getPathSegAtLength(float distance);
+ unsigned long getPathSegAtLength(float distance, ExceptionCode&);
static PassRefPtr<SVGPathSegClosePath> createSVGPathSegClosePath();
static PassRefPtr<SVGPathSegMovetoAbs> createSVGPathSegMovetoAbs(float x, float y);
diff --git a/WebCore/svg/SVGPathElement.idl b/WebCore/svg/SVGPathElement.idl
index d66df1d..9a389c8 100644
--- a/WebCore/svg/SVGPathElement.idl
+++ b/WebCore/svg/SVGPathElement.idl
@@ -37,7 +37,8 @@ module svg {
float getTotalLength();
SVGPoint getPointAtLength(in float distance);
- unsigned long getPathSegAtLength(in float distance);
+ unsigned long getPathSegAtLength(in float distance)
+ raises(DOMException, SVGException);
SVGPathSegClosePath createSVGPathSegClosePath();
diff --git a/WebCore/svg/SVGPathSegList.cpp b/WebCore/svg/SVGPathSegList.cpp
index 8d6fdef..11cad14 100644
--- a/WebCore/svg/SVGPathSegList.cpp
+++ b/WebCore/svg/SVGPathSegList.cpp
@@ -51,15 +51,16 @@ SVGPathSegList::~SVGPathSegList()
{
}
-unsigned SVGPathSegList::getPathSegAtLength(double)
+unsigned SVGPathSegList::getPathSegAtLength(double, ExceptionCode& ec)
{
// FIXME : to be useful this will need to support non-normalized SVGPathSegLists
- ExceptionCode ec = 0;
int len = numberOfItems();
// FIXME: Eventually this will likely move to a "path applier"-like model, until then PathTraversalState is less useful as we could just use locals
PathTraversalState traversalState(PathTraversalState::TraversalSegmentAtLength);
for (int i = 0; i < len; ++i) {
SVGPathSeg* segment = getItem(i, ec).get();
+ if (ec)
+ return 0;
float segmentLength = 0;
switch (segment->pathSegType()) {
case SVGPathSeg::PATHSEG_MOVETO_ABS:
@@ -104,10 +105,12 @@ Path SVGPathSegList::toPathData()
{
// FIXME : This should also support non-normalized PathSegLists
Path pathData;
- ExceptionCode ec = 0;
int len = numberOfItems();
+ ExceptionCode ec = 0;
for (int i = 0; i < len; ++i) {
SVGPathSeg* segment = getItem(i, ec).get();
+ if (ec)
+ return Path();
switch (segment->pathSegType()) {
case SVGPathSeg::PATHSEG_MOVETO_ABS:
{
@@ -182,10 +185,14 @@ PassRefPtr<SVGPathSegList> SVGPathSegList::createAnimated(const SVGPathSegList*
if (!itemCount || itemCount != toList->numberOfItems())
return 0;
RefPtr<SVGPathSegList> result = create(fromList->associatedAttributeName());
- ExceptionCode ec;
+ ExceptionCode ec = 0;
for (unsigned n = 0; n < itemCount; ++n) {
SVGPathSeg* from = fromList->getItem(n, ec).get();
+ if (ec)
+ return 0;
SVGPathSeg* to = toList->getItem(n, ec).get();
+ if (ec)
+ return 0;
if (from->pathSegType() == SVGPathSeg::PATHSEG_UNKNOWN || from->pathSegType() != to->pathSegType())
return 0;
RefPtr<SVGPathSeg> segment = 0;
@@ -251,6 +258,8 @@ PassRefPtr<SVGPathSegList> SVGPathSegList::createAnimated(const SVGPathSegList*
ASSERT_NOT_REACHED();
}
result->appendItem(segment, ec);
+ if (ec)
+ return 0;
}
return result.release();
}
diff --git a/WebCore/svg/SVGPathSegList.h b/WebCore/svg/SVGPathSegList.h
index d9325ce..d2999f0 100644
--- a/WebCore/svg/SVGPathSegList.h
+++ b/WebCore/svg/SVGPathSegList.h
@@ -36,7 +36,7 @@ namespace WebCore {
static PassRefPtr<SVGPathSegList> create(const QualifiedName& attributeName) { return adoptRef(new SVGPathSegList(attributeName)); }
virtual ~SVGPathSegList();
- unsigned getPathSegAtLength(double);
+ unsigned getPathSegAtLength(double, ExceptionCode&);
Path toPathData();
static PassRefPtr<SVGPathSegList> createAnimated(const SVGPathSegList* fromList, const SVGPathSegList* toList, float progress);
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list