[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
commit-queue at webkit.org
commit-queue at webkit.org
Wed Dec 22 11:36:45 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 5716e0e6c3bb43281479a75c76279003cc8e14fa
Author: commit-queue at webkit.org <commit-queue at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Fri Jul 30 22:24:28 2010 +0000
2010-07-30 W. James MacLean <wjmaclean at google.com>
Reviewed by Nikolas Zimmermann.
SVG - numeric overflow for very large elements
https://bugs.webkit.org/show_bug.cgi?id=25645
Two of the expected test outputs were incorrect now that parsing of large values
is handled correctly.
- Revised FloatRect to remove bad float-to-int conversions in enclosingIntRect()
- Revised _parseNumber to do right-to-left float-based parsing of input value
* platform/gtk/svg/custom/pattern-excessive-malloc-expected.txt: Removed.
* platform/mac/svg/custom/mask-excessive-malloc-expected.txt:
* platform/mac/svg/custom/massive-coordinates-expected.txt: Added.
* platform/mac/svg/custom/pattern-excessive-malloc-expected.txt:
* platform/qt/svg/custom/pattern-excessive-malloc-expected.checksum: Removed.
* platform/qt/svg/custom/pattern-excessive-malloc-expected.png: Removed.
* platform/qt/svg/custom/pattern-excessive-malloc-expected.txt: Removed.
* svg/custom/mask-excessive-malloc-expected.txt: Added.
* svg/custom/massive-coordinates-expected.txt: Added.
* svg/custom/massive-coordinates.svg: Added.
* svg/custom/pattern-excessive-malloc-expected.txt: Added.
2010-07-30 W. James MacLean <wjmaclean at google.com>
Reviewed by Nikolas Zimmermann.
SVG - numeric overflow for very large elements
https://bugs.webkit.org/show_bug.cgi?id=25645
Two of the expected test outputs were incorrect now that parsing of large values
is handled correctly.
- Revised FloatRect to remove bad float-to-int conversions in enclosingIntRect()
- Revised _parseNumber to do right-to-left float-based parsing of input value
Test: svg/custom/massive-coordinates.svg
* platform/graphics/FloatRect.cpp:
(WebCore::safeFloatToInt):
(WebCore::enclosingIntRect):
* svg/SVGParserUtilities.cpp:
(WebCore::_parseNumber):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@64379 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index abb6be4..e6ccc2b 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,27 @@
+2010-07-30 W. James MacLean <wjmaclean at google.com>
+
+ Reviewed by Nikolas Zimmermann.
+
+ SVG - numeric overflow for very large elements
+ https://bugs.webkit.org/show_bug.cgi?id=25645
+
+ Two of the expected test outputs were incorrect now that parsing of large values
+ is handled correctly.
+ - Revised FloatRect to remove bad float-to-int conversions in enclosingIntRect()
+ - Revised _parseNumber to do right-to-left float-based parsing of input value
+
+ * platform/gtk/svg/custom/pattern-excessive-malloc-expected.txt: Removed.
+ * platform/mac/svg/custom/mask-excessive-malloc-expected.txt:
+ * platform/mac/svg/custom/massive-coordinates-expected.txt: Added.
+ * platform/mac/svg/custom/pattern-excessive-malloc-expected.txt:
+ * platform/qt/svg/custom/pattern-excessive-malloc-expected.checksum: Removed.
+ * platform/qt/svg/custom/pattern-excessive-malloc-expected.png: Removed.
+ * platform/qt/svg/custom/pattern-excessive-malloc-expected.txt: Removed.
+ * svg/custom/mask-excessive-malloc-expected.txt: Added.
+ * svg/custom/massive-coordinates-expected.txt: Added.
+ * svg/custom/massive-coordinates.svg: Added.
+ * svg/custom/pattern-excessive-malloc-expected.txt: Added.
+
2010-07-30 Anders Carlsson <andersca at apple.com>
Reviewed by Sam Weinig.
diff --git a/LayoutTests/platform/gtk/svg/custom/pattern-excessive-malloc-expected.txt b/LayoutTests/platform/gtk/svg/custom/pattern-excessive-malloc-expected.txt
deleted file mode 100644
index ac7575d..0000000
--- a/LayoutTests/platform/gtk/svg/custom/pattern-excessive-malloc-expected.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-layer at (0,0) size 800x600
- RenderView at (0,0) size 800x600
-layer at (0,0) size 800x600
- RenderSVGRoot {svg} at (10,300) size 100x100
- RenderSVGHiddenContainer {defs} at (0,0) size 0x0
- RenderSVGResourcePattern {pattern} [id="pattern"] [patternUnits=userSpaceOnUse] [patternContentUnits=userSpaceOnUse]
- RenderPath {rect} at (0,0) size 800x600 [fill={[type=SOLID] [color=#FF0000]}] [data="M0.00,0.00 L7792640.00,0.00 L7792640.00,7792640.00 L0.00,7792640.00 Z"]
- RenderPath {rect} at (10,300) size 100x100 [fill={[type=PATTERN] [id="pattern"]}] [data="M10.00,300.00 L110.00,300.00 L110.00,400.00 L10.00,400.00 Z"]
diff --git a/LayoutTests/platform/mac/svg/custom/mask-excessive-malloc-expected.txt b/LayoutTests/platform/mac/svg/custom/mask-excessive-malloc-expected.txt
index 962affa..c893d03 100644
--- a/LayoutTests/platform/mac/svg/custom/mask-excessive-malloc-expected.txt
+++ b/LayoutTests/platform/mac/svg/custom/mask-excessive-malloc-expected.txt
@@ -3,6 +3,6 @@ layer at (0,0) size 800x600
layer at (0,0) size 800x600
RenderSVGRoot {svg} at (200,200) size 100x200
RenderSVGResourceMasker {mask} [id="mask"] [maskUnits=objectBoundingBox] [maskContentUnits=userSpaceOnUse]
- RenderPath {rect} at (0,0) size 0x0 [fill={[type=SOLID] [color=#FFFFFF]}] [data="M0.00,0.00 L2147483648.00,0.00 L2147483648.00,2147483648.00 L0.00,2147483648.00 Z"]
+ RenderPath {rect} at (0,0) size 800x600 [fill={[type=SOLID] [color=#FFFFFF]}] [data="M0.00,0.00 L2147483648.00,0.00 L2147483648.00,2147483648.00 L0.00,2147483648.00 Z"]
RenderPath {path} at (200,200) size 100x200 [fill={[type=SOLID] [color=#0000FF]}] [data="M200.00,200.00 L300.00,200.00 L300.00,400.00 L200.00,400.00 Z"]
[masker="mask"] RenderSVGResourceMasker {mask} at (190,180) size 2147483520x2147483520
diff --git a/LayoutTests/platform/mac/svg/custom/massive-coordinates-expected.txt b/LayoutTests/platform/mac/svg/custom/massive-coordinates-expected.txt
new file mode 100644
index 0000000..3b0b197
--- /dev/null
+++ b/LayoutTests/platform/mac/svg/custom/massive-coordinates-expected.txt
@@ -0,0 +1,6 @@
+layer at (0,0) size 800x600
+ RenderView at (0,0) size 800x600
+layer at (0,0) size 800x600
+ RenderSVGRoot {svg} at (0,0) size 0x0
+ RenderPath {path} at (0,0) size 0x0 [stroke={[type=SOLID] [color=#0000FF]}] [data="M-1000.00,12345679395506094080.00 L200.00,200.00"]
+ RenderPath {path} at (0,0) size 0x0 [stroke={[type=SOLID] [color=#00FF00]}] [data="M600.00,400.00 L1000.00,-98765426367955730432.00"]
diff --git a/LayoutTests/platform/mac/svg/custom/pattern-excessive-malloc-expected.txt b/LayoutTests/platform/mac/svg/custom/pattern-excessive-malloc-expected.txt
index a33dcfb..1d4a8af 100644
--- a/LayoutTests/platform/mac/svg/custom/pattern-excessive-malloc-expected.txt
+++ b/LayoutTests/platform/mac/svg/custom/pattern-excessive-malloc-expected.txt
@@ -4,5 +4,5 @@ layer at (0,0) size 800x600
RenderSVGRoot {svg} at (10,300) size 100x100
RenderSVGHiddenContainer {defs} at (0,0) size 0x0
RenderSVGResourcePattern {pattern} [id="pattern"] [patternUnits=userSpaceOnUse] [patternContentUnits=userSpaceOnUse]
- RenderPath {rect} at (0,0) size 800x600 [fill={[type=SOLID] [color=#FF0000]}] [data="M0.00,0.00 L1215752192.00,0.00 L1215752192.00,1215752192.00 L0.00,1215752192.00 Z"]
+ RenderPath {rect} at (0,0) size 800x600 [fill={[type=SOLID] [color=#FF0000]}] [data="M0.00,0.00 L99999997952.00,0.00 L99999997952.00,99999997952.00 L0.00,99999997952.00 Z"]
RenderPath {rect} at (10,300) size 100x100 [fill={[type=PATTERN] [id="pattern"]}] [data="M10.00,300.00 L110.00,300.00 L110.00,400.00 L10.00,400.00 Z"]
diff --git a/LayoutTests/platform/qt/svg/custom/pattern-excessive-malloc-expected.checksum b/LayoutTests/platform/qt/svg/custom/pattern-excessive-malloc-expected.checksum
deleted file mode 100644
index 88da121..0000000
--- a/LayoutTests/platform/qt/svg/custom/pattern-excessive-malloc-expected.checksum
+++ /dev/null
@@ -1 +0,0 @@
-7290a75aa2c5543d87f68f7200683c20
\ No newline at end of file
diff --git a/LayoutTests/platform/qt/svg/custom/pattern-excessive-malloc-expected.png b/LayoutTests/platform/qt/svg/custom/pattern-excessive-malloc-expected.png
deleted file mode 100644
index 157abe5..0000000
Binary files a/LayoutTests/platform/qt/svg/custom/pattern-excessive-malloc-expected.png and /dev/null differ
diff --git a/LayoutTests/platform/qt/svg/custom/pattern-excessive-malloc-expected.txt b/LayoutTests/platform/qt/svg/custom/pattern-excessive-malloc-expected.txt
deleted file mode 100644
index 46e8575..0000000
--- a/LayoutTests/platform/qt/svg/custom/pattern-excessive-malloc-expected.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-layer at (0,0) size 800x600
- RenderView at (0,0) size 800x600
-layer at (0,0) size 800x600
- RenderSVGRoot {svg} at (10,300) size 100x100
- RenderSVGHiddenContainer {defs} at (0,0) size 0x0
- RenderSVGResourcePattern {pattern} [id="pattern"] [patternUnits=userSpaceOnUse] [patternContentUnits=userSpaceOnUse]
- RenderPath {rect} at (0,0) size 800x600 [fill={[type=SOLID] [color=#FF0000]}] [data="M0.00,0.00 L1215752192.00,0.00 L1215752192.00,1215752192.00 L0.00,1215752192.00 L0.00,0.00"]
- RenderPath {rect} at (10,300) size 100x100 [fill={[type=PATTERN] [id="pattern"]}] [data="M10.00,300.00 L110.00,300.00 L110.00,400.00 L10.00,400.00 L10.00,300.00"]
diff --git a/LayoutTests/svg/custom/mask-excessive-malloc-expected.txt b/LayoutTests/svg/custom/mask-excessive-malloc-expected.txt
new file mode 100644
index 0000000..c893d03
--- /dev/null
+++ b/LayoutTests/svg/custom/mask-excessive-malloc-expected.txt
@@ -0,0 +1,8 @@
+layer at (0,0) size 800x600
+ RenderView at (0,0) size 800x600
+layer at (0,0) size 800x600
+ RenderSVGRoot {svg} at (200,200) size 100x200
+ RenderSVGResourceMasker {mask} [id="mask"] [maskUnits=objectBoundingBox] [maskContentUnits=userSpaceOnUse]
+ RenderPath {rect} at (0,0) size 800x600 [fill={[type=SOLID] [color=#FFFFFF]}] [data="M0.00,0.00 L2147483648.00,0.00 L2147483648.00,2147483648.00 L0.00,2147483648.00 Z"]
+ RenderPath {path} at (200,200) size 100x200 [fill={[type=SOLID] [color=#0000FF]}] [data="M200.00,200.00 L300.00,200.00 L300.00,400.00 L200.00,400.00 Z"]
+ [masker="mask"] RenderSVGResourceMasker {mask} at (190,180) size 2147483520x2147483520
diff --git a/LayoutTests/svg/custom/massive-coordinates-expected.txt b/LayoutTests/svg/custom/massive-coordinates-expected.txt
new file mode 100644
index 0000000..9ed02da
--- /dev/null
+++ b/LayoutTests/svg/custom/massive-coordinates-expected.txt
@@ -0,0 +1,6 @@
+layer at (0,0) size 800x600
+ RenderView at (0,0) size 800x600
+layer at (0,0) size 800x600
+ RenderSVGRoot {svg} at (0,0) size 0x0
+ RenderPath {path} at (0,0) size 0x0 [stroke={[type=SOLID] [color=#0000FF]}] [data="M-1000.00,12345679395506094080.00 L200.00,200.00"]
+ RenderPath {path} at (0,0) size 0x0 [stroke={[type=SOLID] [color=#00FF00]}] [data="M600.00,400.00 L1000.00,-98765435164048752640.00"]
diff --git a/LayoutTests/svg/custom/massive-coordinates.svg b/LayoutTests/svg/custom/massive-coordinates.svg
new file mode 100644
index 0000000..da1cde3
--- /dev/null
+++ b/LayoutTests/svg/custom/massive-coordinates.svg
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+
+<svg xmlns="http://www.w3.org/2000/svg" height="600" id="svgroot" version="1.1" width="800" x="0" y="0">
+
+ <path d="M -1000,12345678901234567890 L 200,200" style="fill:none;stroke:#0000ff;stroke-width:1px;stroke-opacity:1" />
+ <path d="M 600,400 L 1000,-9.8765432109876543210e+19" style="fill:none;stroke:#00ff00;stroke-width:1px;stroke-opacity:1" />
+
+</svg>
+
+
diff --git a/LayoutTests/svg/custom/pattern-excessive-malloc-expected.txt b/LayoutTests/svg/custom/pattern-excessive-malloc-expected.txt
new file mode 100644
index 0000000..1d4a8af
--- /dev/null
+++ b/LayoutTests/svg/custom/pattern-excessive-malloc-expected.txt
@@ -0,0 +1,8 @@
+layer at (0,0) size 800x600
+ RenderView at (0,0) size 800x600
+layer at (0,0) size 800x600
+ RenderSVGRoot {svg} at (10,300) size 100x100
+ RenderSVGHiddenContainer {defs} at (0,0) size 0x0
+ RenderSVGResourcePattern {pattern} [id="pattern"] [patternUnits=userSpaceOnUse] [patternContentUnits=userSpaceOnUse]
+ RenderPath {rect} at (0,0) size 800x600 [fill={[type=SOLID] [color=#FF0000]}] [data="M0.00,0.00 L99999997952.00,0.00 L99999997952.00,99999997952.00 L0.00,99999997952.00 Z"]
+ RenderPath {rect} at (10,300) size 100x100 [fill={[type=PATTERN] [id="pattern"]}] [data="M10.00,300.00 L110.00,300.00 L110.00,400.00 L10.00,400.00 Z"]
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index bc8df97..9f4d2e6 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,23 @@
+2010-07-30 W. James MacLean <wjmaclean at google.com>
+
+ Reviewed by Nikolas Zimmermann.
+
+ SVG - numeric overflow for very large elements
+ https://bugs.webkit.org/show_bug.cgi?id=25645
+
+ Two of the expected test outputs were incorrect now that parsing of large values
+ is handled correctly.
+ - Revised FloatRect to remove bad float-to-int conversions in enclosingIntRect()
+ - Revised _parseNumber to do right-to-left float-based parsing of input value
+
+ Test: svg/custom/massive-coordinates.svg
+
+ * platform/graphics/FloatRect.cpp:
+ (WebCore::safeFloatToInt):
+ (WebCore::enclosingIntRect):
+ * svg/SVGParserUtilities.cpp:
+ (WebCore::_parseNumber):
+
2010-07-30 James Robinson <jamesr at chromium.org>
Reviewed by Darin Fisher.
diff --git a/WebCore/platform/graphics/FloatRect.cpp b/WebCore/platform/graphics/FloatRect.cpp
index 7a54f21..6dfa808 100644
--- a/WebCore/platform/graphics/FloatRect.cpp
+++ b/WebCore/platform/graphics/FloatRect.cpp
@@ -30,6 +30,7 @@
#include "FloatConversion.h"
#include "IntRect.h"
#include <algorithm>
+#include <limits>
#include <math.h>
using std::max;
@@ -110,13 +111,26 @@ void FloatRect::scale(float sx, float sy)
m_size.setHeight(height() * sy);
}
+static inline int safeFloatToInt(float x)
+{
+ static const int s_intMax = std::numeric_limits<int>::max();
+ static const int s_intMin = std::numeric_limits<int>::min();
+
+ if (x >= static_cast<float>(s_intMax))
+ return s_intMax;
+ if (x < static_cast<float>(s_intMin))
+ return s_intMin;
+ return static_cast<int>(x);
+}
+
IntRect enclosingIntRect(const FloatRect& rect)
{
- int l = static_cast<int>(floorf(rect.x()));
- int t = static_cast<int>(floorf(rect.y()));
- int r = static_cast<int>(ceilf(rect.right()));
- int b = static_cast<int>(ceilf(rect.bottom()));
- return IntRect(l, t, r - l, b - t);
+ float left = floorf(rect.x());
+ float top = floorf(rect.y());
+ float width = ceilf(rect.right()) - left;
+ float height = ceilf(rect.bottom()) - top;
+ return IntRect(safeFloatToInt(left), safeFloatToInt(top),
+ safeFloatToInt(width), safeFloatToInt(height));
}
FloatRect mapRect(const FloatRect& r, const FloatRect& srcRect, const FloatRect& destRect)
diff --git a/WebCore/svg/SVGParserUtilities.cpp b/WebCore/svg/SVGParserUtilities.cpp
index 14e3d58..b5e695b 100644
--- a/WebCore/svg/SVGParserUtilities.cpp
+++ b/WebCore/svg/SVGParserUtilities.cpp
@@ -40,8 +40,8 @@ namespace WebCore {
*/
template <typename FloatType> static bool _parseNumber(const UChar*& ptr, const UChar* end, FloatType& number, bool skip)
{
- int integer, exponent;
- FloatType decimal, frac;
+ int exponent;
+ FloatType integer, decimal, frac;
int sign, expsign;
const UChar* start = ptr;
@@ -64,9 +64,19 @@ template <typename FloatType> static bool _parseNumber(const UChar*& ptr, const
// The first character of a number must be one of [0-9+-.]
return false;
- // read the integer part
+ // read the integer part, build right-to-left
+ const UChar* ptrStartIntPart = ptr;
while (ptr < end && *ptr >= '0' && *ptr <= '9')
- integer = (integer * 10) + *(ptr++) - '0';
+ ++ptr; // Advance to first non-digit.
+
+ if (ptr != ptrStartIntPart) {
+ const UChar* ptrScanIntPart = ptr - 1;
+ FloatType multiplier = 1;
+ while (ptrScanIntPart >= ptrStartIntPart) {
+ integer += multiplier * static_cast<FloatType>(*(ptrScanIntPart--) - '0');
+ multiplier *= 10;
+ }
+ }
if (ptr < end && *ptr == '.') { // read the decimals
ptr++;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list