[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373

Gustavo Noronha Silva gns at gnome.org
Thu Apr 8 02:24:29 UTC 2010 

The following commit has been merged in the webkit-1.2 branch:
commit d80df57d4c52490b9a5623242650eda1cc06b4fb
Author: oliver at apple.com <oliver at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Fri Mar 19 06:24:19 2010 +0000

    WebCore: Fix a minor crash with mismatched array sizes in SVG animation
    elements.
    
    Patch by Chris Evans <cevans at chromium.org> on 2010-03-18
    Reviewed by Nikolas Zimmermann.
    
    https://bugs.webkit.org/show_bug.cgi?id=35606
    
    Test: svg/animations/keypoints-mismatch.svg
    
    * svg/SVGAnimationElement.cpp:
    (WebCore::SVGAnimationElement::startedActiveInterval):
    Globally apply validations relevant to all animation types.
    
    LayoutTests: Add test for minor SVG animation crashers.
    See https://bugs.webkit.org/show_bug.cgi?id=35606
    
    Patch by Chris Evans <cevans at chromium.org> on 2010-03-18
    Reviewed by Nikolas Zimmermann.
    
    * svg/animations/keypoints-mismatch.svg: Added.
    * svg/animations/keypoints-mismatch-expected.txt: Added.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@56214 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 6f5e387..128bfdb 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-03-18  Chris Evans  <cevans at chromium.org>
+
+        Reviewed by Nikolas Zimmermann.
+
+        Add test for minor SVG animation crashers.
+        See https://bugs.webkit.org/show_bug.cgi?id=35606
+
+        * svg/animations/keypoints-mismatch.svg: Added.
+        * svg/animations/keypoints-mismatch-expected.txt: Added.
+
 2010-03-23  MORITA Hajime  <morrita at google.com>
 
         Reviewed by Alexey Proskuryakov.
diff --git a/LayoutTests/svg/animations/keypoints-mismatch-expected.txt b/LayoutTests/svg/animations/keypoints-mismatch-expected.txt
new file mode 100644
index 0000000..02e1032
--- /dev/null
+++ b/LayoutTests/svg/animations/keypoints-mismatch-expected.txt
@@ -0,0 +1 @@
+Excellent - did not crash. See bug https://bugs.webkit.org/show_bug.cgi?id=35606
diff --git a/LayoutTests/svg/animations/keypoints-mismatch.svg b/LayoutTests/svg/animations/keypoints-mismatch.svg
new file mode 100644
index 0000000..8881323
--- /dev/null
+++ b/LayoutTests/svg/animations/keypoints-mismatch.svg
@@ -0,0 +1,11 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+<g>
+<animateMotion to="0" calcMode="linear" keyPoints="0"/>
+<animateMotion dur="10s" from="50" to="100" calcMode="spline" keyPoints="0;0;0;0" keyTimes="0;0;0;0" keySplines="0"/>
+</g>
+<text>Excellent - did not crash. See bug https://bugs.webkit.org/show_bug.cgi?id=35606</text>
+<script>
+if (window.layoutTestController)
+  layoutTestController.dumpAsText();
+</script>
+</svg>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 948d2bf..9fe6a1b 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,18 @@
+2010-03-18  Chris Evans  <cevans at chromium.org>
+
+        Reviewed by Nikolas Zimmermann.
+
+        Fix a minor crash with mismatched array sizes in SVG animation
+        elements.
+
+        https://bugs.webkit.org/show_bug.cgi?id=35606
+
+        Test: svg/animations/keypoints-mismatch.svg
+
+        * svg/SVGAnimationElement.cpp:
+        (WebCore::SVGAnimationElement::startedActiveInterval):
+        Globally apply validations relevant to all animation types.
+
 2010-03-23  MORITA Hajime  <morrita at google.com>
 
         Reviewed by Alexey Proskuryakov.
diff --git a/WebCore/svg/SVGAnimationElement.cpp b/WebCore/svg/SVGAnimationElement.cpp
index 39abbfc..7e07858 100644
--- a/WebCore/svg/SVGAnimationElement.cpp
+++ b/WebCore/svg/SVGAnimationElement.cpp
@@ -476,6 +476,17 @@ void SVGAnimationElement::startedActiveInterval()
     if (!hasValidTarget())
         return;
 
+    // These validations are appropriate for all animation modes.
+    if (hasAttribute(SVGNames::keyPointsAttr) && m_keyPoints.size() != m_keyTimes.size())
+        return;
+
+    CalcMode calcMode = this->calcMode();
+    if (calcMode == CalcModeSpline) {
+        unsigned num = m_keySplines.size() + 1;
+        if ((hasAttribute(SVGNames::keyPointsAttr) && m_keyPoints.size() != num) || m_values.size() != num)
+            return;
+    }
+
     AnimationMode animationMode = this->animationMode();
     if (animationMode == NoAnimation)
         return;
@@ -490,7 +501,6 @@ void SVGAnimationElement::startedActiveInterval()
     else if (animationMode == ByAnimation)
         m_animationValid = calculateFromAndByValues(String(), byValue());
     else if (animationMode == ValuesAnimation) {
-        CalcMode calcMode = this->calcMode();
         m_animationValid = m_values.size() > 1
             && (calcMode == CalcModePaced || !hasAttribute(SVGNames::keyTimesAttr) || hasAttribute(SVGNames::keyPointsAttr) || (m_values.size() == m_keyTimes.size()))
             && (calcMode == CalcModeDiscrete || !m_keyTimes.size() || m_keyTimes.last() == 1.0)
@@ -499,7 +509,7 @@ void SVGAnimationElement::startedActiveInterval()
         if (calcMode == CalcModePaced && m_animationValid)
             calculateKeyTimesForCalcModePaced();
     } else if (animationMode == PathAnimation)
-        m_animationValid = calcMode() == CalcModePaced || !hasAttribute(SVGNames::keyPointsAttr) || (m_keyTimes.size() > 1 && m_keyTimes.size() == m_keyPoints.size());
+        m_animationValid = calcMode == CalcModePaced || !hasAttribute(SVGNames::keyPointsAttr) || (m_keyTimes.size() > 1 && m_keyTimes.size() == m_keyPoints.size());
 }
     
 void SVGAnimationElement::updateAnimation(float percent, unsigned repeat, SVGSMILElement* resultElement)

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list