[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

eric at webkit.org eric at webkit.org
Wed Dec 22 11:49:25 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit daf27e414c49dae597f1f32266b970c0517e3165
Author: eric at webkit.org <eric at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Sun Aug 8 07:45:00 2010 +0000

    2010-08-08  Adam Barth  <abarth at webkit.org>
    
            Reviewed by Dimitri Glazkov.
    
            SVGLength uses ASSERTs to validate user input
            https://bugs.webkit.org/show_bug.cgi?id=43680
    
            Send invalid input to trigger old ASSERTs.
    
            * svg/dom/svg-length-units-expected.txt: Added.
            * svg/dom/svg-length-units.html: Added.
    2010-08-08  Adam Barth  <abarth at webkit.org>
    
            Reviewed by Dimitri Glazkov.
    
            SVGLength uses ASSERTs to validate user input
            https://bugs.webkit.org/show_bug.cgi?id=43680
    
            ASSERTs aren't in release builds, so we can't use them to validate user
            input!  We've seen a bunch of examples of this in SVG code.  It might
            be worth auditing all the code to remove this misguided pattern.
    
            Test: svg/dom/svg-length-units.html
    
            * svg/SVGLength.cpp:
            (WebCore::SVGLength::newValueSpecifiedUnits):
            (WebCore::SVGLength::convertToSpecifiedUnits):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@64945 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index e9e7aab..e645105 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2010-08-08  Adam Barth  <abarth at webkit.org>
+
+        Reviewed by Dimitri Glazkov.
+
+        SVGLength uses ASSERTs to validate user input
+        https://bugs.webkit.org/show_bug.cgi?id=43680
+
+        Send invalid input to trigger old ASSERTs.
+
+        * svg/dom/svg-length-units-expected.txt: Added.
+        * svg/dom/svg-length-units.html: Added.
+
 2010-08-08  Mihai Parparita  <mihaip at chromium.org>
 
         Reviewed by Adam Barth.
diff --git a/LayoutTests/svg/dom/svg-length-units-expected.txt b/LayoutTests/svg/dom/svg-length-units-expected.txt
new file mode 100644
index 0000000..111fc82
--- /dev/null
+++ b/LayoutTests/svg/dom/svg-length-units-expected.txt
@@ -0,0 +1,13 @@
+ 1
+1
+1
+1
+1
+5
+5
+5
+5
+5
+Done!
+
+
diff --git a/LayoutTests/svg/dom/svg-length-units.html b/LayoutTests/svg/dom/svg-length-units.html
new file mode 100644
index 0000000..3e25cea
--- /dev/null
+++ b/LayoutTests/svg/dom/svg-length-units.html
@@ -0,0 +1,32 @@
+<body>
+<svg id="foo">
+</svg>
+<pre>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+var elmt = document.getElementById('foo');
+var len = elmt.createSVGLength();
+document.writeln(len.unitType)
+len.newValueSpecifiedUnits(0, 42);
+document.writeln(len.unitType)
+len.value = 48;
+document.writeln(len.unitType)
+len.newValueSpecifiedUnits(51168, 42);
+document.writeln(len.unitType)
+len.value = 48;
+document.writeln(len.unitType)
+len.valueAsString = "32px"
+document.writeln(len.unitType)
+len.convertToSpecifiedUnits(0)
+document.writeln(len.unitType)
+len.valueAsString = "32px"
+document.writeln(len.unitType)
+len.convertToSpecifiedUnits(51168)
+document.writeln(len.unitType)
+len.value = 48;
+document.writeln(len.unitType)
+document.writeln("Done!")
+</script>
+</pre>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 437cbd2..d05319b 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,20 @@
+2010-08-08  Adam Barth  <abarth at webkit.org>
+
+        Reviewed by Dimitri Glazkov.
+
+        SVGLength uses ASSERTs to validate user input
+        https://bugs.webkit.org/show_bug.cgi?id=43680
+
+        ASSERTs aren't in release builds, so we can't use them to validate user
+        input!  We've seen a bunch of examples of this in SVG code.  It might
+        be worth auditing all the code to remove this misguided pattern.
+
+        Test: svg/dom/svg-length-units.html
+
+        * svg/SVGLength.cpp:
+        (WebCore::SVGLength::newValueSpecifiedUnits):
+        (WebCore::SVGLength::convertToSpecifiedUnits):
+
 2010-08-07  Adam Barth  <abarth at webkit.org>
 
         Reviewed by Sam Weinig.
diff --git a/WebCore/svg/SVGLength.cpp b/WebCore/svg/SVGLength.cpp
index 162b25f..415dc79 100644
--- a/WebCore/svg/SVGLength.cpp
+++ b/WebCore/svg/SVGLength.cpp
@@ -275,7 +275,8 @@ String SVGLength::valueAsString() const
 
 void SVGLength::newValueSpecifiedUnits(unsigned short type, float value)
 {
-    ASSERT(type <= LengthTypePC);
+    if (type == LengthTypeUnknown || type > LengthTypePC)
+        return;
 
     m_unit = storeUnit(extractMode(m_unit), (SVGLengthType) type);
     m_valueInSpecifiedUnits = value;
@@ -283,7 +284,8 @@ void SVGLength::newValueSpecifiedUnits(unsigned short type, float value)
 
 void SVGLength::convertToSpecifiedUnits(unsigned short type, const SVGElement* context)
 {
-    ASSERT(type <= LengthTypePC);
+    if (type == LengthTypeUnknown || type > LengthTypePC)
+        return;
 
     float valueInUserUnits = value(context);
     m_unit = storeUnit(extractMode(m_unit), (SVGLengthType) type);

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list