[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373
Gustavo Noronha Silva
gns at gnome.org
Thu Apr 8 02:24:22 UTC 2010
The following commit has been merged in the webkit-1.2 branch:
commit ad436b10ed1be1efffd764cb743c73a3bce8217d
Author: krit at webkit.org <krit at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon Mar 22 19:46:28 2010 +0000
2010-03-22 Justin Schuh <jschuh at chromium.org>
Reviewed by Dirk Schulze.
Out of bounds read in SVG feColorMatrix filter
https://bugs.webkit.org/show_bug.cgi?id=32714
Prevents an invalid read when a valid values attribute is not
supplied for an feColorMatrix SVG filter. Also fixes general
handling of missing or invalid values attribute.
Tests: svg/filters/feColorMatrix-invalid-value.svg
svg/filters/feColorMatrix-values.svg
* svg/SVGFEColorMatrixElement.cpp:
(WebCore::SVGFEColorMatrixElement::build):
2010-03-22 Justin Schuh <jschuh at chromium.org>
Reviewed by Dirk Schulze.
Out of bounds read in SVG feColorMatrix filter
https://bugs.webkit.org/show_bug.cgi?id=32714
Prevents an invalid read when a valid values attribute is not
supplied for an feColorMatrix SVG filter. Also fixes general
handling of missing or invalid values attribute.
* platform/win/svg/filters: Added.
* platform/win/svg/filters/feColorMatrix-values-expected.checksum: Added.
* platform/win/svg/filters/feColorMatrix-values-expected.png: Added.
* platform/win/svg/filters/feColorMatrix-values-expected.txt: Added.
* svg/filters/feColorMatrix-invalid-value-expected.txt: Added.
* svg/filters/feColorMatrix-invalid-value.svg: Added.
* svg/filters/feColorMatrix-values.svg: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@56355 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index a46adf4..ff77a2a 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,22 @@
+2010-03-22 Justin Schuh <jschuh at chromium.org>
+
+ Reviewed by Dirk Schulze.
+
+ Out of bounds read in SVG feColorMatrix filter
+ https://bugs.webkit.org/show_bug.cgi?id=32714
+
+ Prevents an invalid read when a valid values attribute is not
+ supplied for an feColorMatrix SVG filter. Also fixes general
+ handling of missing or invalid values attribute.
+
+ * platform/win/svg/filters: Added.
+ * platform/win/svg/filters/feColorMatrix-values-expected.checksum: Added.
+ * platform/win/svg/filters/feColorMatrix-values-expected.png: Added.
+ * platform/win/svg/filters/feColorMatrix-values-expected.txt: Added.
+ * svg/filters/feColorMatrix-invalid-value-expected.txt: Added.
+ * svg/filters/feColorMatrix-invalid-value.svg: Added.
+ * svg/filters/feColorMatrix-values.svg: Added.
+
2010-03-22 Geoffrey Garen <ggaren at apple.com>
Reviewed by Sam Weinig.
diff --git a/LayoutTests/platform/win/svg/filters/feColorMatrix-values-expected.checksum b/LayoutTests/platform/win/svg/filters/feColorMatrix-values-expected.checksum
new file mode 100644
index 0000000..29eb22d
--- /dev/null
+++ b/LayoutTests/platform/win/svg/filters/feColorMatrix-values-expected.checksum
@@ -0,0 +1 @@
+57be7a9d27f93859e1fc00135cd4cb20
\ No newline at end of file
diff --git a/LayoutTests/platform/win/svg/filters/feColorMatrix-values-expected.png b/LayoutTests/platform/win/svg/filters/feColorMatrix-values-expected.png
new file mode 100644
index 0000000..1eb7baf
Binary files /dev/null and b/LayoutTests/platform/win/svg/filters/feColorMatrix-values-expected.png differ
diff --git a/LayoutTests/platform/win/svg/filters/feColorMatrix-values-expected.txt b/LayoutTests/platform/win/svg/filters/feColorMatrix-values-expected.txt
new file mode 100644
index 0000000..8b0e643
--- /dev/null
+++ b/LayoutTests/platform/win/svg/filters/feColorMatrix-values-expected.txt
@@ -0,0 +1,73 @@
+KCanvasResource {id="satfull" [type=FILTER] [bounding box=at (-10.00%,-10.00%) size 120.00%x120.00%]}
+KCanvasResource {id="matnull" [type=FILTER] [bounding box=at (-10.00%,-10.00%) size 120.00%x120.00%]}
+KCanvasResource {id="satnull" [type=FILTER] [bounding box=at (-10.00%,-10.00%) size 120.00%x120.00%]}
+KCanvasResource {id="huenull" [type=FILTER] [bounding box=at (-10.00%,-10.00%) size 120.00%x120.00%]}
+KCanvasResource {id="matbad" [type=FILTER] [bounding box=at (-10.00%,-10.00%) size 120.00%x120.00%]}
+KCanvasResource {id="satbad" [type=FILTER] [bounding box=at (-10.00%,-10.00%) size 120.00%x120.00%]}
+KCanvasResource {id="huebad" [type=FILTER] [bounding box=at (-10.00%,-10.00%) size 120.00%x120.00%]}
+KCanvasResource {id="satrange" [type=FILTER] [bounding box=at (-10.00%,-10.00%) size 120.00%x120.00%]}
+KCanvasResource {id="huerange" [type=FILTER] [bounding box=at (-10.00%,-10.00%) size 120.00%x120.00%]}
+layer at (0,0) size 800x600
+ RenderView at (0,0) size 800x600
+layer at (0,0) size 800x600
+ RenderSVGRoot {svg} at (0,0) size 800x600
+ RenderSVGHiddenContainer {defs} at (0,0) size 0x0
+ RenderSVGContainer {g} at (0,0) size 441x441
+ RenderPath {rect} at (0,0) size 441x441 [fill={[type=SOLID] [color=#00FF00]}] [filter=satfull] [data="M0.00,0.00 L400.00,0.00 L400.00,400.00 L0.00,400.00 Z"]
+ RenderPath {rect} at (2,2) size 196x396 [fill={[type=SOLID] [color=#FF0000]}] [data="M2.00,2.00 L198.00,2.00 L198.00,398.00 L2.00,398.00 Z"]
+ RenderSVGText {text} at (10,40) size 171x30 contains 1 chunk(s)
+ RenderSVGInlineText {#text} at (0,-25) size 171x30
+ chunk 1 text run 1 at (10.00,40.00) startOffset 0 endOffset 17 width 171.00: "Should be default"
+ RenderSVGText {text} at (10,70) size 70x30 contains 1 chunk(s)
+ RenderSVGInlineText {#text} at (0,-25) size 70x30
+ chunk 1 text run 1 at (10.00,70.00) startOffset 0 endOffset 7 width 70.00: "matrix."
+ RenderPath {rect} at (0,0) size 221x115 [fill={[type=SOLID] [color=#00FF00]}] [filter=matnull] [data="M0.00,0.00 L200.00,0.00 L200.00,104.00 L0.00,104.00 Z"]
+ RenderSVGText {text} at (10,140) size 171x30 contains 1 chunk(s)
+ RenderSVGInlineText {#text} at (0,-25) size 171x30
+ chunk 1 text run 1 at (10.00,140.00) startOffset 0 endOffset 17 width 171.00: "Should be default"
+ RenderSVGText {text} at (10,170) size 82x30 contains 1 chunk(s)
+ RenderSVGInlineText {#text} at (0,-25) size 82x30
+ chunk 1 text run 1 at (10.00,170.00) startOffset 0 endOffset 9 width 82.00: "saturate."
+ RenderPath {rect} at (0,89) size 221x126 [fill={[type=SOLID] [color=#00FF00]}] [filter=satnull] [data="M0.00,100.00 L200.00,100.00 L200.00,204.00 L0.00,204.00 Z"]
+ RenderSVGText {text} at (10,240) size 171x30 contains 1 chunk(s)
+ RenderSVGInlineText {#text} at (0,-25) size 171x30
+ chunk 1 text run 1 at (10.00,240.00) startOffset 0 endOffset 17 width 171.00: "Should be default"
+ RenderSVGText {text} at (10,270) size 105x30 contains 1 chunk(s)
+ RenderSVGInlineText {#text} at (0,-25) size 105x30
+ chunk 1 text run 1 at (10.00,270.00) startOffset 0 endOffset 10 width 105.00: "hueRotate."
+ RenderPath {rect} at (0,189) size 221x126 [fill={[type=SOLID] [color=#00FF00]}] [filter=huenull] [data="M0.00,200.00 L200.00,200.00 L200.00,304.00 L0.00,304.00 Z"]
+ RenderSVGText {text} at (10,340) size 152x30 contains 1 chunk(s)
+ RenderSVGInlineText {#text} at (0,-25) size 152x30
+ chunk 1 text run 1 at (10.00,340.00) startOffset 0 endOffset 15 width 152.00: "Should be valid"
+ RenderSVGText {text} at (10,370) size 105x30 contains 1 chunk(s)
+ RenderSVGInlineText {#text} at (0,-25) size 105x30
+ chunk 1 text run 1 at (10.00,370.00) startOffset 0 endOffset 10 width 105.00: "hueRotate."
+ RenderPath {rect} at (0,290) size 221x119 [fill={[type=SOLID] [color=#00FF00]}] [filter=huerange] [data="M0.00,300.00 L200.00,300.00 L200.00,399.00 L0.00,399.00 Z"]
+ RenderPath {rect} at (182,0) size 236x108 [fill={[type=SOLID] [color=#FF0000]}] [filter=matbad] [data="M202.00,2.00 L398.00,2.00 L398.00,98.00 L202.00,98.00 Z"]
+ RenderSVGText {text} at (210,40) size 139x30 contains 1 chunk(s)
+ RenderSVGInlineText {#text} at (0,-25) size 139x30
+ chunk 1 text run 1 at (210.00,40.00) startOffset 0 endOffset 14 width 139.00: "Invalid matrix"
+ RenderSVGText {text} at (210,70) size 156x30 contains 1 chunk(s)
+ RenderSVGInlineText {#text} at (0,-25) size 156x30
+ chunk 1 text run 1 at (210.00,70.00) startOffset 0 endOffset 17 width 156.00: "values attribute."
+ RenderPath {rect} at (182,92) size 236x116 [fill={[type=SOLID] [color=#FF0000]}] [filter=huebad] [data="M202.00,102.00 L398.00,102.00 L398.00,198.00 L202.00,198.00 Z"]
+ RenderSVGText {text} at (210,140) size 151x30 contains 1 chunk(s)
+ RenderSVGInlineText {#text} at (0,-25) size 151x30
+ chunk 1 text run 1 at (210.00,140.00) startOffset 0 endOffset 16 width 151.00: "Invalid saturate"
+ RenderSVGText {text} at (210,170) size 156x30 contains 1 chunk(s)
+ RenderSVGInlineText {#text} at (0,-25) size 156x30
+ chunk 1 text run 1 at (210.00,170.00) startOffset 0 endOffset 17 width 156.00: "values attribute."
+ RenderPath {rect} at (182,192) size 236x116 [fill={[type=SOLID] [color=#FF0000]}] [filter=satbad] [data="M202.00,202.00 L398.00,202.00 L398.00,298.00 L202.00,298.00 Z"]
+ RenderSVGText {text} at (210,240) size 174x30 contains 1 chunk(s)
+ RenderSVGInlineText {#text} at (0,-25) size 174x30
+ chunk 1 text run 1 at (210.00,240.00) startOffset 0 endOffset 17 width 174.00: "Invalid hueRotate"
+ RenderSVGText {text} at (210,270) size 156x30 contains 1 chunk(s)
+ RenderSVGInlineText {#text} at (0,-25) size 156x30
+ chunk 1 text run 1 at (210.00,270.00) startOffset 0 endOffset 17 width 156.00: "values attribute."
+ RenderPath {rect} at (182,292) size 236x116 [fill={[type=SOLID] [color=#FF0000]}] [filter=satrange] [data="M202.00,302.00 L398.00,302.00 L398.00,398.00 L202.00,398.00 Z"]
+ RenderSVGText {text} at (210,340) size 162x30 contains 1 chunk(s)
+ RenderSVGInlineText {#text} at (0,-25) size 162x30
+ chunk 1 text run 1 at (210.00,340.00) startOffset 0 endOffset 16 width 162.00: "Saturate must be"
+ RenderSVGText {text} at (210,370) size 164x30 contains 1 chunk(s)
+ RenderSVGInlineText {#text} at (0,-25) size 164x30
+ chunk 1 text run 1 at (210.00,370.00) startOffset 0 endOffset 16 width 164.00: "between 0 and 1."
diff --git a/LayoutTests/svg/filters/feColorMatrix-invalid-value-expected.txt b/LayoutTests/svg/filters/feColorMatrix-invalid-value-expected.txt
new file mode 100644
index 0000000..af7e9b6
--- /dev/null
+++ b/LayoutTests/svg/filters/feColorMatrix-invalid-value-expected.txt
@@ -0,0 +1,3 @@
+This test is to ensure that we do not crash when loading a SVG image with an invalid feColorMatrix filter
+PASS: Did not crash when rendering the SVG image.
+
diff --git a/LayoutTests/svg/filters/feColorMatrix-invalid-value.svg b/LayoutTests/svg/filters/feColorMatrix-invalid-value.svg
new file mode 100644
index 0000000..5809794
--- /dev/null
+++ b/LayoutTests/svg/filters/feColorMatrix-invalid-value.svg
@@ -0,0 +1,29 @@
+<html xmlns="http://www.w3.org/1999/xhtml">
+ <body>
+ This test is to ensure that we do not crash when loading a SVG image with an invalid feColorMatrix filter
+ <div id="log"><span style='color: red;'>FAIL:</span> Did not complete test</div>
+ <svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="10" height="10">
+ <defs id="base_defs">
+ <filter id="m1">
+ <feColorMatrix type="matrix" values="1"/>
+ </filter>
+ </defs>
+ <g id="base_g">
+ <rect width="10" height="10" x="0" y="0" fill="green" style="filter:url(#m1)" />
+ </g>
+ </svg>
+ <script><![CDATA[
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+ var log = document.getElementById("log");
+ while (log.childNodes.length)
+ log.removeChild(log.firstChild);
+ var msg = document.createElementNS("http://www.w3.org/1999/xhtml", "span");
+ msg.style.color = "green";
+ msg.appendChild(document.createTextNode("PASS:"));
+ log.appendChild(msg);
+ log.appendChild(document.createTextNode(" Did not crash when rendering the SVG image."));
+ ]]></script>
+ </body>
+</html>
\ No newline at end of file
diff --git a/LayoutTests/svg/filters/feColorMatrix-values.svg b/LayoutTests/svg/filters/feColorMatrix-values.svg
new file mode 100644
index 0000000..fe67e71
--- /dev/null
+++ b/LayoutTests/svg/filters/feColorMatrix-values.svg
@@ -0,0 +1,68 @@
+<svg xmlns="http://www.w3.org/2000/svg" version="1.1">
+<defs>
+ <filter id="satfull">
+ <feColorMatrix type="saturate" values="1" />
+ </filter>
+
+ <filter id="matnull">
+ <feColorMatrix type="matrix" />
+ </filter>
+ <filter id="satnull">
+ <feColorMatrix type="saturate" />
+ </filter>
+ <filter id="huenull">
+ <feColorMatrix type="hueRotate" />
+ </filter>
+
+ <filter id="matbad">
+ <feColorMatrix type="matrix" values="1 1 1" />
+ </filter>
+ <filter id="satbad">
+ <feColorMatrix type="saturate" values="1 1 1" />
+ </filter>
+ <filter id="huebad">
+ <feColorMatrix type="hueRotate" values="1 1 1" />
+ </filter>
+
+ <filter id="satrange">
+ <feColorMatrix type="saturate" values="2" />
+ </filter>
+ <filter id="huerange">
+ <feColorMatrix type="hueRotate" values="720" />
+ </filter>
+
+</defs>
+ <g font-size="24" fill="black">
+ <!-- Backround for tests. Green is success and red is failure -->
+ <rect y="0" x="0" width="400" height="400" fill="lime" style="filter:url(#satfull)" />
+ <rect y="2" x="2" width="196" height="396" fill="red" />
+
+ <!-- Display default parameters when values is not present -->
+ <text y="40" x="10" >Should be default</text>
+ <text y="70" x="10" >matrix.</text>
+ <rect y="0" x="0" width="200" height="104" fill="lime" style="filter:url(#matnull)" />
+ <text y="140" x="10" >Should be default</text>
+ <text y="170" x="10" >saturate.</text>
+ <rect y="100" x="0" width="200" height="104" fill="lime" style="filter:url(#satnull)" />
+ <text y="240" x="10" >Should be default</text>
+ <text y="270" x="10" >hueRotate.</text>
+ <rect y="200" x="0" width="200" height="104" fill="lime" style="filter:url(#huenull)" />
+ <text y="340" x="10">Should be valid</text>
+ <text y="370" x="10">hueRotate.</text>
+ <rect y="300" x="0" width="200" height="99" fill="lime" style="filter:url(#huerange)" />
+
+ <!-- Do not render element if values is invalid -->
+ <rect y="2" x="202" width="196" height="96" fill="red" style="filter:url(#matbad)" />
+ <text y="40" x="210" style="filter:url(#matbad)">Invalid matrix</text>
+ <text y="70" x="210" style="filter:url(#matbad)">values attribute.</text>
+ <rect y="102" x="202" width="196" height="96" fill="red" style="filter:url(#huebad)" />
+ <text y="140" x="210" style="filter:url(#huebad)">Invalid saturate</text>
+ <text y="170" x="210" style="filter:url(#huebad)">values attribute.</text>
+ <rect y="202" x="202" width="196" height="96" fill="red" style="filter:url(#satbad)" />
+ <text y="240" x="210" style="filter:url(#satbad)">Invalid hueRotate</text>
+ <text y="270" x="210" style="filter:url(#satbad)">values attribute.</text>
+ <rect y="302" x="202" width="196" height="96" fill="red" style="filter:url(#satrange)" />
+ <text y="340" x="210" style="filter:url(#satrange)">Saturate must be </text>
+ <text y="370" x="210" style="filter:url(#satrange)">between 0 and 1.</text>
+</g>
+</svg>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index a52ecd5..1bbc2c5 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,20 @@
+2010-03-22 Justin Schuh <jschuh at chromium.org>
+
+ Reviewed by Dirk Schulze.
+
+ Out of bounds read in SVG feColorMatrix filter
+ https://bugs.webkit.org/show_bug.cgi?id=32714
+
+ Prevents an invalid read when a valid values attribute is not
+ supplied for an feColorMatrix SVG filter. Also fixes general
+ handling of missing or invalid values attribute.
+
+ Tests: svg/filters/feColorMatrix-invalid-value.svg
+ svg/filters/feColorMatrix-values.svg
+
+ * svg/SVGFEColorMatrixElement.cpp:
+ (WebCore::SVGFEColorMatrixElement::build):
+
2010-03-22 Beth Dakin <bdakin at apple.com>
Reviewed by Darin Adler.
diff --git a/WebCore/svg/SVGFEColorMatrixElement.cpp b/WebCore/svg/SVGFEColorMatrixElement.cpp
index e27ad86..e62393f 100644
--- a/WebCore/svg/SVGFEColorMatrixElement.cpp
+++ b/WebCore/svg/SVGFEColorMatrixElement.cpp
@@ -88,15 +88,42 @@ bool SVGFEColorMatrixElement::build(SVGResourceFilter* filterResource)
if (!input1)
return false;
- Vector<float> _values;
+ Vector<float> filterValues;
SVGNumberList* numbers = values();
+ const ColorMatrixType filterType(static_cast<const ColorMatrixType>(type()));
+
+ // Use defaults if values is empty (SVG 1.1 15.10).
+ if (!hasAttribute(SVGNames::valuesAttr)) {
+ switch (filterType) {
+ case FECOLORMATRIX_TYPE_MATRIX:
+ for (size_t i = 0; i < 20; i++)
+ filterValues.append((i % 6) ? 0.0f : 1.0f);
+ break;
+ case FECOLORMATRIX_TYPE_HUEROTATE:
+ filterValues.append(0.0f);
+ break;
+ case FECOLORMATRIX_TYPE_SATURATE:
+ filterValues.append(1.0f);
+ break;
+ default:
+ break;
+ }
+ } else {
+ size_t size = numbers->numberOfItems();
+ for (size_t i = 0; i < size; i++) {
+ ExceptionCode ec = 0;
+ filterValues.append(numbers->getItem(i, ec));
+ }
+ size = filterValues.size();
+
+ if ((filterType == FECOLORMATRIX_TYPE_MATRIX && size != 20)
+ || (filterType == FECOLORMATRIX_TYPE_HUEROTATE && size != 1)
+ || (filterType == FECOLORMATRIX_TYPE_SATURATE && (size != 1
+ || filterValues[0] < 0.0f || filterValues[0] > 1.0f)))
+ return false;
+ }
- ExceptionCode ec = 0;
- unsigned int nr = numbers->numberOfItems();
- for (unsigned int i = 0;i < nr;i++)
- _values.append(numbers->getItem(i, ec));
-
- RefPtr<FilterEffect> effect = FEColorMatrix::create(input1, static_cast<ColorMatrixType>(type()), _values);
+ RefPtr<FilterEffect> effect = FEColorMatrix::create(input1, filterType, filterValues);
filterResource->addFilterEffect(this, effect.release());
return true;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list