[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
inferno at chromium.org
inferno at chromium.org
Wed Dec 22 16:37:56 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 4795944ca6571a560a4b7afa4da2d90e2bc37d34
Author: inferno at chromium.org <inferno at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon Nov 29 16:18:50 2010 +0000
2010-11-29 W. James MacLean <wjmaclean at chromium.org>
Reviewed by Dirk Schulze.
Large input numbers cause overflow during SVG parsing, leading to crash
https://bugs.webkit.org/show_bug.cgi?id=49546
Values outside the range supported by float lead to Infinity() or NaN()
during parsing, leading to subsequent crashes. Modified
parser to verify number is in the supported range, and return false if not.
Tests: svg/custom/svg-parse-overflow-1.html
svg/custom/svg-parse-overflow-2.html
svg/custom/svg-parse-overflow-3.html
svg/custom/svg-parse-overflow-4.html
svg/custom/svg-parse-overflow-5.html
* svg/SVGParserUtilities.cpp:
(WebCore::isValidRange):
(WebCore::genericParseNumber):
2010-11-29 W. James MacLean <wjmaclean at chromium.org>
Reviewed by Dirk Schulze.
Large input numbers cause overflow during SVG parsing, leading to crash
https://bugs.webkit.org/show_bug.cgi?id=49546
Values outside the range supported by float lead to Infinity() or NaN()
during parsing, leading to subsequent crashes. Modified
parser to verify number is in the supported range, and return false if not.
* platform/chromium-linux/svg/custom/svg-parse-overflow-1-expected.checksum: Added.
* platform/chromium-linux/svg/custom/svg-parse-overflow-1-expected.png: Added.
* platform/chromium-linux/svg/custom/svg-parse-overflow-1-expected.txt: Added.
* platform/chromium-linux/svg/custom/svg-parse-overflow-2-expected.checksum: Added.
* platform/chromium-linux/svg/custom/svg-parse-overflow-2-expected.png: Added.
* platform/chromium-linux/svg/custom/svg-parse-overflow-2-expected.txt: Added.
* platform/chromium-linux/svg/custom/svg-parse-overflow-3-expected.checksum: Added.
* platform/chromium-linux/svg/custom/svg-parse-overflow-3-expected.png: Added.
* platform/chromium-linux/svg/custom/svg-parse-overflow-3-expected.txt: Added.
* platform/chromium-linux/svg/custom/svg-parse-overflow-4-expected.checksum: Added.
* platform/chromium-linux/svg/custom/svg-parse-overflow-4-expected.png: Added.
* platform/chromium-linux/svg/custom/svg-parse-overflow-4-expected.txt: Added.
* platform/chromium-linux/svg/custom/svg-parse-overflow-5-expected.checksum: Added.
* platform/chromium-linux/svg/custom/svg-parse-overflow-5-expected.png: Added.
* platform/chromium-linux/svg/custom/svg-parse-overflow-5-expected.txt: Added.
* platform/chromium/test_expectations.txt:
* platform/mac/svg/custom/svg-parse-overflow-1-expected.checksum: Added.
* platform/mac/svg/custom/svg-parse-overflow-1-expected.png: Added.
* platform/mac/svg/custom/svg-parse-overflow-1-expected.txt: Added.
* platform/mac/svg/custom/svg-parse-overflow-2-expected.checksum: Added.
* platform/mac/svg/custom/svg-parse-overflow-2-expected.png: Added.
* platform/mac/svg/custom/svg-parse-overflow-2-expected.txt: Added.
* platform/mac/svg/custom/svg-parse-overflow-3-expected.checksum: Added.
* platform/mac/svg/custom/svg-parse-overflow-3-expected.png: Added.
* platform/mac/svg/custom/svg-parse-overflow-3-expected.txt: Added.
* platform/mac/svg/custom/svg-parse-overflow-4-expected.checksum: Added.
* platform/mac/svg/custom/svg-parse-overflow-4-expected.png: Added.
* platform/mac/svg/custom/svg-parse-overflow-4-expected.txt: Added.
* platform/mac/svg/custom/svg-parse-overflow-5-expected.checksum: Added.
* platform/mac/svg/custom/svg-parse-overflow-5-expected.png: Added.
* platform/mac/svg/custom/svg-parse-overflow-5-expected.txt: Added.
* platform/mac/test_expectations.txt:
* svg/custom/svg-parse-overflow-1.html: Added.
* svg/custom/svg-parse-overflow-2.html: Added.
* svg/custom/svg-parse-overflow-3.html: Added.
* svg/custom/svg-parse-overflow-4.html: Added.
* svg/custom/svg-parse-overflow-5.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@72802 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 65a9599..b9d7ea5 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,52 @@
+2010-11-29 W. James MacLean <wjmaclean at chromium.org>
+
+ Reviewed by Dirk Schulze.
+
+ Large input numbers cause overflow during SVG parsing, leading to crash
+ https://bugs.webkit.org/show_bug.cgi?id=49546
+
+ Values outside the range supported by float lead to Infinity() or NaN()
+ during parsing, leading to subsequent crashes. Modified
+ parser to verify number is in the supported range, and return false if not.
+
+ * platform/chromium-linux/svg/custom/svg-parse-overflow-1-expected.checksum: Added.
+ * platform/chromium-linux/svg/custom/svg-parse-overflow-1-expected.png: Added.
+ * platform/chromium-linux/svg/custom/svg-parse-overflow-1-expected.txt: Added.
+ * platform/chromium-linux/svg/custom/svg-parse-overflow-2-expected.checksum: Added.
+ * platform/chromium-linux/svg/custom/svg-parse-overflow-2-expected.png: Added.
+ * platform/chromium-linux/svg/custom/svg-parse-overflow-2-expected.txt: Added.
+ * platform/chromium-linux/svg/custom/svg-parse-overflow-3-expected.checksum: Added.
+ * platform/chromium-linux/svg/custom/svg-parse-overflow-3-expected.png: Added.
+ * platform/chromium-linux/svg/custom/svg-parse-overflow-3-expected.txt: Added.
+ * platform/chromium-linux/svg/custom/svg-parse-overflow-4-expected.checksum: Added.
+ * platform/chromium-linux/svg/custom/svg-parse-overflow-4-expected.png: Added.
+ * platform/chromium-linux/svg/custom/svg-parse-overflow-4-expected.txt: Added.
+ * platform/chromium-linux/svg/custom/svg-parse-overflow-5-expected.checksum: Added.
+ * platform/chromium-linux/svg/custom/svg-parse-overflow-5-expected.png: Added.
+ * platform/chromium-linux/svg/custom/svg-parse-overflow-5-expected.txt: Added.
+ * platform/chromium/test_expectations.txt:
+ * platform/mac/svg/custom/svg-parse-overflow-1-expected.checksum: Added.
+ * platform/mac/svg/custom/svg-parse-overflow-1-expected.png: Added.
+ * platform/mac/svg/custom/svg-parse-overflow-1-expected.txt: Added.
+ * platform/mac/svg/custom/svg-parse-overflow-2-expected.checksum: Added.
+ * platform/mac/svg/custom/svg-parse-overflow-2-expected.png: Added.
+ * platform/mac/svg/custom/svg-parse-overflow-2-expected.txt: Added.
+ * platform/mac/svg/custom/svg-parse-overflow-3-expected.checksum: Added.
+ * platform/mac/svg/custom/svg-parse-overflow-3-expected.png: Added.
+ * platform/mac/svg/custom/svg-parse-overflow-3-expected.txt: Added.
+ * platform/mac/svg/custom/svg-parse-overflow-4-expected.checksum: Added.
+ * platform/mac/svg/custom/svg-parse-overflow-4-expected.png: Added.
+ * platform/mac/svg/custom/svg-parse-overflow-4-expected.txt: Added.
+ * platform/mac/svg/custom/svg-parse-overflow-5-expected.checksum: Added.
+ * platform/mac/svg/custom/svg-parse-overflow-5-expected.png: Added.
+ * platform/mac/svg/custom/svg-parse-overflow-5-expected.txt: Added.
+ * platform/mac/test_expectations.txt:
+ * svg/custom/svg-parse-overflow-1.html: Added.
+ * svg/custom/svg-parse-overflow-2.html: Added.
+ * svg/custom/svg-parse-overflow-3.html: Added.
+ * svg/custom/svg-parse-overflow-4.html: Added.
+ * svg/custom/svg-parse-overflow-5.html: Added.
+
2010-11-29 Antonio Gomes <agomes at rim.com>
Rubber stamped by Csaba Osztrogonác.
diff --git a/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-1-expected.checksum b/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-1-expected.checksum
new file mode 100644
index 0000000..72f25db
--- /dev/null
+++ b/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-1-expected.checksum
@@ -0,0 +1 @@
+92b6d080cc1095c6d376647796d17838
\ No newline at end of file
diff --git a/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-1-expected.png b/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-1-expected.png
new file mode 100644
index 0000000..09c4aa9
Binary files /dev/null and b/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-1-expected.png differ
diff --git a/JavaScriptCore/tests/mozilla/js1_6/Array/browser.js b/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-1-expected.txt
similarity index 100%
copy from JavaScriptCore/tests/mozilla/js1_6/Array/browser.js
copy to LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-1-expected.txt
diff --git a/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-2-expected.checksum b/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-2-expected.checksum
new file mode 100644
index 0000000..72f25db
--- /dev/null
+++ b/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-2-expected.checksum
@@ -0,0 +1 @@
+92b6d080cc1095c6d376647796d17838
\ No newline at end of file
diff --git a/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-2-expected.png b/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-2-expected.png
new file mode 100644
index 0000000..09c4aa9
Binary files /dev/null and b/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-2-expected.png differ
diff --git a/JavaScriptCore/tests/mozilla/js1_6/Array/browser.js b/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-2-expected.txt
similarity index 100%
copy from JavaScriptCore/tests/mozilla/js1_6/Array/browser.js
copy to LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-2-expected.txt
diff --git a/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-3-expected.checksum b/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-3-expected.checksum
new file mode 100644
index 0000000..72f25db
--- /dev/null
+++ b/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-3-expected.checksum
@@ -0,0 +1 @@
+92b6d080cc1095c6d376647796d17838
\ No newline at end of file
diff --git a/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-3-expected.png b/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-3-expected.png
new file mode 100644
index 0000000..09c4aa9
Binary files /dev/null and b/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-3-expected.png differ
diff --git a/JavaScriptCore/tests/mozilla/js1_6/Array/browser.js b/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-3-expected.txt
similarity index 100%
copy from JavaScriptCore/tests/mozilla/js1_6/Array/browser.js
copy to LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-3-expected.txt
diff --git a/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-4-expected.checksum b/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-4-expected.checksum
new file mode 100644
index 0000000..72f25db
--- /dev/null
+++ b/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-4-expected.checksum
@@ -0,0 +1 @@
+92b6d080cc1095c6d376647796d17838
\ No newline at end of file
diff --git a/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-4-expected.png b/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-4-expected.png
new file mode 100644
index 0000000..09c4aa9
Binary files /dev/null and b/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-4-expected.png differ
diff --git a/JavaScriptCore/tests/mozilla/js1_6/Array/browser.js b/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-4-expected.txt
similarity index 100%
copy from JavaScriptCore/tests/mozilla/js1_6/Array/browser.js
copy to LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-4-expected.txt
diff --git a/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-5-expected.checksum b/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-5-expected.checksum
new file mode 100644
index 0000000..72f25db
--- /dev/null
+++ b/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-5-expected.checksum
@@ -0,0 +1 @@
+92b6d080cc1095c6d376647796d17838
\ No newline at end of file
diff --git a/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-5-expected.png b/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-5-expected.png
new file mode 100644
index 0000000..09c4aa9
Binary files /dev/null and b/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-5-expected.png differ
diff --git a/JavaScriptCore/tests/mozilla/js1_6/Array/browser.js b/LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-5-expected.txt
similarity index 100%
copy from JavaScriptCore/tests/mozilla/js1_6/Array/browser.js
copy to LayoutTests/platform/chromium-linux/svg/custom/svg-parse-overflow-5-expected.txt
diff --git a/LayoutTests/platform/chromium/test_expectations.txt b/LayoutTests/platform/chromium/test_expectations.txt
index 5c740d9..3e73ec6 100644
--- a/LayoutTests/platform/chromium/test_expectations.txt
+++ b/LayoutTests/platform/chromium/test_expectations.txt
@@ -934,6 +934,13 @@ BUGWK44514 MAC : fast/backgrounds/svg-as-background-6.html = IMAGE
// May require re-baseline.
BUGWK42370 WIN MAC : svg/custom/image-rescale-scroll.html = FAIL
+// Some re-baselining will be needed.
+BUGWK49456 MAC WIN : svg/custom/svg-parse-overflow-1.html = FAIL
+BUGWK49456 MAC WIN : svg/custom/svg-parse-overflow-2.html = FAIL
+BUGWK49456 MAC WIN : svg/custom/svg-parse-overflow-3.html = FAIL
+BUGWK49456 MAC WIN : svg/custom/svg-parse-overflow-4.html = FAIL
+BUGWK49456 MAC WIN : svg/custom/svg-parse-overflow-5.html = FAIL
+
// -----------------------------------------------------------------
// End SVG Regressions
// -----------------------------------------------------------------
diff --git a/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-1-expected.checksum b/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-1-expected.checksum
new file mode 100644
index 0000000..6e31e47
--- /dev/null
+++ b/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-1-expected.checksum
@@ -0,0 +1 @@
+0d43bde864809d32cf33b7ee9ef53790
\ No newline at end of file
diff --git a/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-1-expected.png b/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-1-expected.png
new file mode 100644
index 0000000..fcb1bd2
Binary files /dev/null and b/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-1-expected.png differ
diff --git a/JavaScriptCore/tests/mozilla/js1_6/Array/browser.js b/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-1-expected.txt
similarity index 100%
copy from JavaScriptCore/tests/mozilla/js1_6/Array/browser.js
copy to LayoutTests/platform/mac/svg/custom/svg-parse-overflow-1-expected.txt
diff --git a/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-2-expected.checksum b/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-2-expected.checksum
new file mode 100644
index 0000000..6e31e47
--- /dev/null
+++ b/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-2-expected.checksum
@@ -0,0 +1 @@
+0d43bde864809d32cf33b7ee9ef53790
\ No newline at end of file
diff --git a/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-2-expected.png b/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-2-expected.png
new file mode 100644
index 0000000..fcb1bd2
Binary files /dev/null and b/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-2-expected.png differ
diff --git a/JavaScriptCore/tests/mozilla/js1_6/Array/browser.js b/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-2-expected.txt
similarity index 100%
copy from JavaScriptCore/tests/mozilla/js1_6/Array/browser.js
copy to LayoutTests/platform/mac/svg/custom/svg-parse-overflow-2-expected.txt
diff --git a/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-3-expected.checksum b/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-3-expected.checksum
new file mode 100644
index 0000000..6e31e47
--- /dev/null
+++ b/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-3-expected.checksum
@@ -0,0 +1 @@
+0d43bde864809d32cf33b7ee9ef53790
\ No newline at end of file
diff --git a/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-3-expected.png b/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-3-expected.png
new file mode 100644
index 0000000..fcb1bd2
Binary files /dev/null and b/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-3-expected.png differ
diff --git a/JavaScriptCore/tests/mozilla/js1_6/Array/browser.js b/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-3-expected.txt
similarity index 100%
copy from JavaScriptCore/tests/mozilla/js1_6/Array/browser.js
copy to LayoutTests/platform/mac/svg/custom/svg-parse-overflow-3-expected.txt
diff --git a/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-4-expected.checksum b/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-4-expected.checksum
new file mode 100644
index 0000000..6e31e47
--- /dev/null
+++ b/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-4-expected.checksum
@@ -0,0 +1 @@
+0d43bde864809d32cf33b7ee9ef53790
\ No newline at end of file
diff --git a/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-4-expected.png b/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-4-expected.png
new file mode 100644
index 0000000..fcb1bd2
Binary files /dev/null and b/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-4-expected.png differ
diff --git a/JavaScriptCore/tests/mozilla/js1_6/Array/browser.js b/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-4-expected.txt
similarity index 100%
copy from JavaScriptCore/tests/mozilla/js1_6/Array/browser.js
copy to LayoutTests/platform/mac/svg/custom/svg-parse-overflow-4-expected.txt
diff --git a/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-5-expected.checksum b/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-5-expected.checksum
new file mode 100644
index 0000000..6e31e47
--- /dev/null
+++ b/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-5-expected.checksum
@@ -0,0 +1 @@
+0d43bde864809d32cf33b7ee9ef53790
\ No newline at end of file
diff --git a/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-5-expected.png b/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-5-expected.png
new file mode 100644
index 0000000..fcb1bd2
Binary files /dev/null and b/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-5-expected.png differ
diff --git a/JavaScriptCore/tests/mozilla/js1_6/Array/browser.js b/LayoutTests/platform/mac/svg/custom/svg-parse-overflow-5-expected.txt
similarity index 100%
copy from JavaScriptCore/tests/mozilla/js1_6/Array/browser.js
copy to LayoutTests/platform/mac/svg/custom/svg-parse-overflow-5-expected.txt
diff --git a/LayoutTests/platform/mac/test_expectations.txt b/LayoutTests/platform/mac/test_expectations.txt
index 53ccb72..cd1262b 100644
--- a/LayoutTests/platform/mac/test_expectations.txt
+++ b/LayoutTests/platform/mac/test_expectations.txt
@@ -100,6 +100,13 @@ BUG36620 : transforms/2d/hindi-rotated.html = IMAGE
// Needs re-baselining.
BUG42370 : svg/custom/image-rescale-scroll.html = FAIL
+// Require re-baseline:
+BUG49546 : svg/custom/svg-parse-overflow-1.html
+BUG49546 : svg/custom/svg-parse-overflow-2.html
+BUG49546 : svg/custom/svg-parse-overflow-3.html
+BUG49546 : svg/custom/svg-parse-overflow-4.html
+BUG49546 : svg/custom/svg-parse-overflow-5.html
+
// These fail depending on order due to interactions with previous tests:
BUG35006 : fast/dom/global-constructors.html = PASS TEXT
BUG37007 : fast/tokenizer/doctype-search-reset.html = PASS TEXT
diff --git a/LayoutTests/svg/custom/svg-parse-overflow-1.html b/LayoutTests/svg/custom/svg-parse-overflow-1.html
new file mode 100644
index 0000000..9537e46
--- /dev/null
+++ b/LayoutTests/svg/custom/svg-parse-overflow-1.html
@@ -0,0 +1,12 @@
+<html>
+<body>
+<script>
+document.body.offsetTop;
+if (window.layoutTestController)
+ layoutTestController.dumpAsText(true);
+</script>
+<svg>
+<foreignObject y="105000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" transform="scale(5) skewX(5)">
+</svg>
+</body>
+
diff --git a/LayoutTests/svg/custom/svg-parse-overflow-2.html b/LayoutTests/svg/custom/svg-parse-overflow-2.html
new file mode 100644
index 0000000..31d547e
--- /dev/null
+++ b/LayoutTests/svg/custom/svg-parse-overflow-2.html
@@ -0,0 +1,12 @@
+<html>
+<body>
+<script>
+document.body.offsetTop;
+if (window.layoutTestController)
+ layoutTestController.dumpAsText(true);
+</script>
+<svg>
+<rect width="478" height="-105000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" stroke="#000000">
+</svg>
+</body>
+
diff --git a/LayoutTests/svg/custom/svg-parse-overflow-3.html b/LayoutTests/svg/custom/svg-parse-overflow-3.html
new file mode 100644
index 0000000..7ad9bc2
--- /dev/null
+++ b/LayoutTests/svg/custom/svg-parse-overflow-3.html
@@ -0,0 +1,17 @@
+<html>
+<body>
+<script>
+document.body.offsetTop;
+if (window.layoutTestController)
+ layoutTestController.dumpAsText(true);
+</script>
+<style>
+svg {
+stroke-dasharray: 400;
+stroke: 10px;}
+</style>
+<svg>
+<rect width="100" height="105000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000">
+</svg>
+</body>
+
diff --git a/LayoutTests/svg/custom/svg-parse-overflow-4.html b/LayoutTests/svg/custom/svg-parse-overflow-4.html
new file mode 100644
index 0000000..55d8179
--- /dev/null
+++ b/LayoutTests/svg/custom/svg-parse-overflow-4.html
@@ -0,0 +1,12 @@
+<html>
+<body>
+<script>
+document.body.offsetTop;
+if (window.layoutTestController)
+ layoutTestController.dumpAsText(true);
+</script>
+<svg>
+<foreignObject y="105.0e50" transform="scale(5) skewX(5)">
+</svg>
+</body>
+
diff --git a/LayoutTests/svg/custom/svg-parse-overflow-5.html b/LayoutTests/svg/custom/svg-parse-overflow-5.html
new file mode 100644
index 0000000..b22ea6d
--- /dev/null
+++ b/LayoutTests/svg/custom/svg-parse-overflow-5.html
@@ -0,0 +1,12 @@
+<html>
+<body>
+<script>
+document.body.offsetTop;
+if (window.layoutTestController)
+ layoutTestController.dumpAsText(true);
+</script>
+<svg>
+<foreignObject y="105.0e5000000000000000000000000000000000000000000000000000" transform="scale(5) skewX(5)">
+</svg>
+</body>
+
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 67bf376..77f0da5 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,24 @@
+2010-11-29 W. James MacLean <wjmaclean at chromium.org>
+
+ Reviewed by Dirk Schulze.
+
+ Large input numbers cause overflow during SVG parsing, leading to crash
+ https://bugs.webkit.org/show_bug.cgi?id=49546
+
+ Values outside the range supported by float lead to Infinity() or NaN()
+ during parsing, leading to subsequent crashes. Modified
+ parser to verify number is in the supported range, and return false if not.
+
+ Tests: svg/custom/svg-parse-overflow-1.html
+ svg/custom/svg-parse-overflow-2.html
+ svg/custom/svg-parse-overflow-3.html
+ svg/custom/svg-parse-overflow-4.html
+ svg/custom/svg-parse-overflow-5.html
+
+ * svg/SVGParserUtilities.cpp:
+ (WebCore::isValidRange):
+ (WebCore::genericParseNumber):
+
2010-11-29 Yury Semikhatsky <yurys at chromium.org>
Reviewed by Pavel Feldman.
diff --git a/WebCore/svg/SVGParserUtilities.cpp b/WebCore/svg/SVGParserUtilities.cpp
index 5a77ce2..63bc5bb 100644
--- a/WebCore/svg/SVGParserUtilities.cpp
+++ b/WebCore/svg/SVGParserUtilities.cpp
@@ -27,18 +27,24 @@
#include "Document.h"
#include "FloatPoint.h"
+#include <limits>
#include "SVGPointList.h"
#include <wtf/ASCIICType.h>
namespace WebCore {
+template <typename FloatType> static inline bool isValidRange(const FloatType& x)
+{
+ static const FloatType max = std::numeric_limits<FloatType>::max();
+ return x >= -max && x <= max;
+}
+
// We use this generic parseNumber function to allow the Path parsing code to work
// at a higher precision internally, without any unnecessary runtime cost or code
// complexity.
template <typename FloatType> static bool genericParseNumber(const UChar*& ptr, const UChar* end, FloatType& number, bool skip)
{
- int exponent;
- FloatType integer, decimal, frac;
+ FloatType integer, decimal, frac, exponent;
int sign, expsign;
const UChar* start = ptr;
@@ -73,6 +79,9 @@ template <typename FloatType> static bool genericParseNumber(const UChar*& ptr,
integer += multiplier * static_cast<FloatType>(*(ptrScanIntPart--) - '0');
multiplier *= 10;
}
+ // Bail out early if this overflows.
+ if (!isValidRange(integer))
+ return false;
}
if (ptr < end && *ptr == '.') { // read the decimals
@@ -104,17 +113,24 @@ template <typename FloatType> static bool genericParseNumber(const UChar*& ptr,
return false;
while (ptr < end && *ptr >= '0' && *ptr <= '9') {
- exponent *= 10;
+ exponent *= static_cast<FloatType>(10);
exponent += *ptr - '0';
ptr++;
}
+ // Make sure exponent is valid.
+ if (!isValidRange(exponent) || exponent > std::numeric_limits<FloatType>::max_exponent)
+ return false;
}
number = integer + decimal;
number *= sign;
if (exponent)
- number *= static_cast<FloatType>(pow(10.0, expsign * exponent));
+ number *= static_cast<FloatType>(pow(10.0, expsign * static_cast<int>(exponent)));
+
+ // Don't return Infinity() or NaN().
+ if (!isValidRange(number))
+ return false;
if (start == ptr)
return false;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list