[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-10851-g50815da
commit-queue at webkit.org
commit-queue at webkit.org
Wed Dec 22 18:27:00 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit ea6bdc7303594476340fa9842d59456ccac3b75a
Author: commit-queue at webkit.org <commit-queue at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Sat Dec 11 01:23:26 2010 +0000
2010-12-10 Cosmin Truta <ctruta at chromium.org>
Reviewed by Eric Seidel.
Crash while processing ill-formed <textPath> ouside of <text>
https://bugs.webkit.org/show_bug.cgi?id=47759
Ensure that ill-formed text content child elements do not crash.
* svg/custom/invalid-text-content.svg: Added.
* svg/custom/invalid-text-content-expected.checksum: Added.
* svg/custom/invalid-text-content-expected.png: Added.
* svg/custom/invalid-text-content-expected.txt: Added.
2010-12-10 Cosmin Truta <ctruta at chromium.org>
Reviewed by Eric Seidel.
Crash while processing ill-formed <textPath> ouside of <text>
https://bugs.webkit.org/show_bug.cgi?id=47759
Renderers within a <text> subtree are created only when their corresponding elements
satisfy the content model.
Test: svg/custom/invalid-text-content.svg
* svg/SVGTRefElement.cpp:
(WebCore::SVGTRefElement::childShouldCreateRenderer): Fixed to comply with the content model.
(WebCore::SVGTRefElement::rendererIsNeeded): Added.
* svg/SVGTRefElement.h:
* svg/SVGTSpanElement.cpp:
(WebCore::SVGTSpanElement::childShouldCreateRenderer): Fixed to comply with the content model.
(WebCore::SVGTSpanElement::rendererIsNeeded): Added.
* svg/SVGTSpanElement.h: Changed indentation.
* svg/SVGTextElement.cpp:
(WebCore::SVGTextElement::childShouldCreateRenderer): Reformatted.
* svg/SVGTextPathElement.cpp:
(WebCore::SVGTextPathElement::childShouldCreateRenderer): Fixed to comply with the content model.
(WebCore::SVGTextPathElement::rendererIsNeeded): Added.
* svg/SVGTextPathElement.h:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@73820 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 0d0048b..d608771 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,17 @@
+2010-12-10 Cosmin Truta <ctruta at chromium.org>
+
+ Reviewed by Eric Seidel.
+
+ Crash while processing ill-formed <textPath> ouside of <text>
+ https://bugs.webkit.org/show_bug.cgi?id=47759
+
+ Ensure that ill-formed text content child elements do not crash.
+
+ * svg/custom/invalid-text-content.svg: Added.
+ * svg/custom/invalid-text-content-expected.checksum: Added.
+ * svg/custom/invalid-text-content-expected.png: Added.
+ * svg/custom/invalid-text-content-expected.txt: Added.
+
2010-12-10 Adam Barth <abarth at webkit.org>
Reviewed by Eric Seidel.
diff --git a/LayoutTests/platform/mac/fast/block/positioning/005-expected.checksum b/LayoutTests/svg/custom/invalid-text-content-expected.checksum
similarity index 100%
copy from LayoutTests/platform/mac/fast/block/positioning/005-expected.checksum
copy to LayoutTests/svg/custom/invalid-text-content-expected.checksum
diff --git a/LayoutTests/svg/custom/invalid-text-content-expected.txt b/LayoutTests/svg/custom/invalid-text-content-expected.txt
new file mode 100644
index 0000000..7e7840a
--- /dev/null
+++ b/LayoutTests/svg/custom/invalid-text-content-expected.txt
@@ -0,0 +1,25 @@
+layer at (0,0) size 800x600
+ RenderView at (0,0) size 800x600
+layer at (0,0) size 800x600
+ RenderSVGRoot {svg} at (0,0) size 100x100
+ RenderSVGText {text}
+ RenderSVGTSpan {tspan} at (0,0) size 0x0
+ RenderSVGInlineText {#text} at (0,0) size 0x0
+ RenderSVGInlineText {#text} at (0,0) size 0x0
+ RenderSVGInlineText {#text} at (0,0) size 0x0
+ RenderSVGInlineText {#text} at (0,0) size 0x0
+ RenderSVGInline {tref} at (0,0) size 0x0
+ RenderSVGInlineText {#text} at (0,0) size 0x0
+ RenderSVGInlineText {#text} at (0,0) size 0x0
+ RenderSVGInlineText {#text} at (0,0) size 0x0
+ RenderSVGInlineText {#text} at (0,0) size 0x0
+ RenderSVGInlineText {#text} at (0,0) size 0x0
+ RenderSVGInlineText {#text} at (0,0) size 0x0
+ RenderSVGInlineText {#text} at (0,0) size 0x0
+ RenderSVGTextPath {textPath} at (0,0) size 0x0
+ RenderSVGInlineText {#text} at (0,0) size 0x0
+ RenderSVGInlineText {#text} at (0,0) size 0x0
+ RenderSVGInlineText {#text} at (0,0) size 0x0
+ RenderSVGInlineText {#text} at (0,0) size 0x0
+ RenderSVGInlineText {#text} at (0,0) size 0x0
+ RenderSVGPath {rect} at (0,0) size 100x100 [fill={[type=SOLID] [color=#008000]}] [x=0.00] [y=0.00] [width=100.00] [height=100.00]
diff --git a/LayoutTests/svg/custom/invalid-text-content.svg b/LayoutTests/svg/custom/invalid-text-content.svg
new file mode 100644
index 0000000..e81a5d0
--- /dev/null
+++ b/LayoutTests/svg/custom/invalid-text-content.svg
@@ -0,0 +1,41 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+
+<text>
+ <tspan>
+ <text>This should not appear in rendering.</text>
+ <textPath>This should not appear in rendering.</textPath>
+ </tspan>
+ <tref>
+ <text>This should not appear in rendering.</text>
+ <tspan>This should not appear in rendering.</tspan>
+ <tref>This should not appear in rendering.</tref>
+ <textPath>This should not appear in rendering.</textPath>
+ <altGlyph>This should not appear in rendering.</altGlyph>
+ </tref>
+ <textPath>
+ <text>This should not appear in rendering.</text>
+ <textPath>This should not appear in rendering.</textPath>
+ <altGlyph>This should not appear in rendering.</altGlyph>
+ </textPath>
+</text>
+<tspan>
+ <text>This should not appear in rendering.</text>
+ <textPath>This should not appear in rendering.</textPath>
+</tspan>
+<tref>
+ <text>This should not appear in rendering.</text>
+ <tspan>This should not appear in rendering.</tspan>
+ <tref>This should not appear in rendering.</tref>
+ <textPath>This should not appear in rendering.</textPath>
+ <altGlyph>This should not appear in rendering.</altGlyph>
+</tref>
+<textPath>
+ <text>This should not appear in rendering.</text>
+ <textPath>This should not appear in rendering.</textPath>
+ <altGlyph>This should not appear in rendering.</altGlyph>
+</textPath>
+
+<!-- This should not crash. -->
+<rect width="100" height="100" fill="green"/>
+
+</svg>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 55beb10..06309c6 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,30 @@
+2010-12-10 Cosmin Truta <ctruta at chromium.org>
+
+ Reviewed by Eric Seidel.
+
+ Crash while processing ill-formed <textPath> ouside of <text>
+ https://bugs.webkit.org/show_bug.cgi?id=47759
+
+ Renderers within a <text> subtree are created only when their corresponding elements
+ satisfy the content model.
+
+ Test: svg/custom/invalid-text-content.svg
+
+ * svg/SVGTRefElement.cpp:
+ (WebCore::SVGTRefElement::childShouldCreateRenderer): Fixed to comply with the content model.
+ (WebCore::SVGTRefElement::rendererIsNeeded): Added.
+ * svg/SVGTRefElement.h:
+ * svg/SVGTSpanElement.cpp:
+ (WebCore::SVGTSpanElement::childShouldCreateRenderer): Fixed to comply with the content model.
+ (WebCore::SVGTSpanElement::rendererIsNeeded): Added.
+ * svg/SVGTSpanElement.h: Changed indentation.
+ * svg/SVGTextElement.cpp:
+ (WebCore::SVGTextElement::childShouldCreateRenderer): Reformatted.
+ * svg/SVGTextPathElement.cpp:
+ (WebCore::SVGTextPathElement::childShouldCreateRenderer): Fixed to comply with the content model.
+ (WebCore::SVGTextPathElement::rendererIsNeeded): Added.
+ * svg/SVGTextPathElement.h:
+
2010-12-10 Zhenyao Mo <zmo at google.com>
Reviewed by Adam Barth.
diff --git a/WebCore/svg/SVGTRefElement.cpp b/WebCore/svg/SVGTRefElement.cpp
index 8a0e97f..14c4700 100644
--- a/WebCore/svg/SVGTRefElement.cpp
+++ b/WebCore/svg/SVGTRefElement.cpp
@@ -84,17 +84,32 @@ void SVGTRefElement::synchronizeProperty(const QualifiedName& attrName)
synchronizeHref();
}
+RenderObject* SVGTRefElement::createRenderer(RenderArena* arena, RenderStyle*)
+{
+ return new (arena) RenderSVGInline(this);
+}
+
bool SVGTRefElement::childShouldCreateRenderer(Node* child) const
{
- if (child->isTextNode() || child->hasTagName(SVGNames::tspanTag) ||
- child->hasTagName(SVGNames::trefTag))
+ if (child->isTextNode())
return true;
+
return false;
}
-RenderObject* SVGTRefElement::createRenderer(RenderArena* arena, RenderStyle*)
+bool SVGTRefElement::rendererIsNeeded(RenderStyle* style)
{
- return new (arena) RenderSVGInline(this);
+ if (parentNode()
+ && (parentNode()->hasTagName(SVGNames::aTag)
+#if ENABLE(SVG_FONTS)
+ || parentNode()->hasTagName(SVGNames::altGlyphTag)
+#endif
+ || parentNode()->hasTagName(SVGNames::textTag)
+ || parentNode()->hasTagName(SVGNames::textPathTag)
+ || parentNode()->hasTagName(SVGNames::tspanTag)))
+ return StyledElement::rendererIsNeeded(style);
+
+ return false;
}
}
diff --git a/WebCore/svg/SVGTRefElement.h b/WebCore/svg/SVGTRefElement.h
index 41297a7..8b98383 100644
--- a/WebCore/svg/SVGTRefElement.h
+++ b/WebCore/svg/SVGTRefElement.h
@@ -41,6 +41,7 @@ private:
virtual RenderObject* createRenderer(RenderArena*, RenderStyle*);
virtual bool childShouldCreateRenderer(Node*) const;
+ virtual bool rendererIsNeeded(RenderStyle*);
void updateReferencedText();
diff --git a/WebCore/svg/SVGTSpanElement.cpp b/WebCore/svg/SVGTSpanElement.cpp
index b88600a..8fe30e2 100644
--- a/WebCore/svg/SVGTSpanElement.cpp
+++ b/WebCore/svg/SVGTSpanElement.cpp
@@ -39,24 +39,38 @@ PassRefPtr<SVGTSpanElement> SVGTSpanElement::create(const QualifiedName& tagName
return adoptRef(new SVGTSpanElement(tagName, document));
}
+RenderObject* SVGTSpanElement::createRenderer(RenderArena* arena, RenderStyle*)
+{
+ return new (arena) RenderSVGTSpan(this);
+}
+
bool SVGTSpanElement::childShouldCreateRenderer(Node* child) const
{
if (child->isTextNode()
+ || child->hasTagName(SVGNames::aTag)
#if ENABLE(SVG_FONTS)
|| child->hasTagName(SVGNames::altGlyphTag)
#endif
- || child->hasTagName(SVGNames::tspanTag)
|| child->hasTagName(SVGNames::trefTag)
- || child->hasTagName(SVGNames::aTag)
- || child->hasTagName(SVGNames::textPathTag))
+ || child->hasTagName(SVGNames::tspanTag))
return true;
return false;
}
-RenderObject* SVGTSpanElement::createRenderer(RenderArena* arena, RenderStyle*)
+bool SVGTSpanElement::rendererIsNeeded(RenderStyle* style)
{
- return new (arena) RenderSVGTSpan(this);
+ if (parentNode()
+ && (parentNode()->hasTagName(SVGNames::aTag)
+#if ENABLE(SVG_FONTS)
+ || parentNode()->hasTagName(SVGNames::altGlyphTag)
+#endif
+ || parentNode()->hasTagName(SVGNames::textTag)
+ || parentNode()->hasTagName(SVGNames::textPathTag)
+ || parentNode()->hasTagName(SVGNames::tspanTag)))
+ return StyledElement::rendererIsNeeded(style);
+
+ return false;
}
}
diff --git a/WebCore/svg/SVGTSpanElement.h b/WebCore/svg/SVGTSpanElement.h
index 9b276a8..58a7990 100644
--- a/WebCore/svg/SVGTSpanElement.h
+++ b/WebCore/svg/SVGTSpanElement.h
@@ -26,16 +26,17 @@
namespace WebCore {
- class SVGTSpanElement : public SVGTextPositioningElement {
- public:
- static PassRefPtr<SVGTSpanElement> create(const QualifiedName&, Document*);
+class SVGTSpanElement : public SVGTextPositioningElement {
+public:
+ static PassRefPtr<SVGTSpanElement> create(const QualifiedName&, Document*);
- private:
- SVGTSpanElement(const QualifiedName&, Document*);
-
- virtual RenderObject* createRenderer(RenderArena*, RenderStyle*);
- virtual bool childShouldCreateRenderer(Node*) const;
- };
+private:
+ SVGTSpanElement(const QualifiedName&, Document*);
+
+ virtual RenderObject* createRenderer(RenderArena*, RenderStyle*);
+ virtual bool childShouldCreateRenderer(Node*) const;
+ virtual bool rendererIsNeeded(RenderStyle*);
+};
} // namespace WebCore
diff --git a/WebCore/svg/SVGTextElement.cpp b/WebCore/svg/SVGTextElement.cpp
index e2cef48..7229824 100644
--- a/WebCore/svg/SVGTextElement.cpp
+++ b/WebCore/svg/SVGTextElement.cpp
@@ -107,11 +107,15 @@ RenderObject* SVGTextElement::createRenderer(RenderArena* arena, RenderStyle*)
bool SVGTextElement::childShouldCreateRenderer(Node* child) const
{
if (child->isTextNode()
+ || child->hasTagName(SVGNames::aTag)
#if ENABLE(SVG_FONTS)
|| child->hasTagName(SVGNames::altGlyphTag)
#endif
- || child->hasTagName(SVGNames::tspanTag) || child->hasTagName(SVGNames::trefTag) || child->hasTagName(SVGNames::aTag) || child->hasTagName(SVGNames::textPathTag))
+ || child->hasTagName(SVGNames::textPathTag)
+ || child->hasTagName(SVGNames::trefTag)
+ || child->hasTagName(SVGNames::tspanTag))
return true;
+
return false;
}
diff --git a/WebCore/svg/SVGTextPathElement.cpp b/WebCore/svg/SVGTextPathElement.cpp
index 2a93ff9..5bd4e4b 100644
--- a/WebCore/svg/SVGTextPathElement.cpp
+++ b/WebCore/svg/SVGTextPathElement.cpp
@@ -118,18 +118,24 @@ RenderObject* SVGTextPathElement::createRenderer(RenderArena* arena, RenderStyle
bool SVGTextPathElement::childShouldCreateRenderer(Node* child) const
{
if (child->isTextNode()
-#if ENABLE(SVG_FONTS)
- || child->hasTagName(SVGNames::altGlyphTag)
-#endif
- || child->hasTagName(SVGNames::trefTag)
- || child->hasTagName(SVGNames::tspanTag)
|| child->hasTagName(SVGNames::aTag)
- || child->hasTagName(SVGNames::textPathTag))
+ || child->hasTagName(SVGNames::trefTag)
+ || child->hasTagName(SVGNames::tspanTag))
return true;
return false;
}
+bool SVGTextPathElement::rendererIsNeeded(RenderStyle* style)
+{
+ if (parentNode()
+ && (parentNode()->hasTagName(SVGNames::aTag)
+ || parentNode()->hasTagName(SVGNames::textTag)))
+ return StyledElement::rendererIsNeeded(style);
+
+ return false;
+}
+
void SVGTextPathElement::insertedIntoDocument()
{
SVGTextContentElement::insertedIntoDocument();
diff --git a/WebCore/svg/SVGTextPathElement.h b/WebCore/svg/SVGTextPathElement.h
index 31490b0..9652294 100644
--- a/WebCore/svg/SVGTextPathElement.h
+++ b/WebCore/svg/SVGTextPathElement.h
@@ -62,9 +62,10 @@ private:
virtual void parseMappedAttribute(Attribute*);
virtual void svgAttributeChanged(const QualifiedName&);
virtual void synchronizeProperty(const QualifiedName&);
- virtual RenderObject* createRenderer(RenderArena*, RenderStyle*);
+ virtual RenderObject* createRenderer(RenderArena*, RenderStyle*);
virtual bool childShouldCreateRenderer(Node*) const;
+ virtual bool rendererIsNeeded(RenderStyle*);
virtual bool selfHasRelativeLengths() const;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list