[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
commit-queue at webkit.org
commit-queue at webkit.org
Wed Dec 22 14:42:13 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit c05fce49a58d893e1a410d322d2fde450ab4f1c9
Author: commit-queue at webkit.org <commit-queue at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Sun Oct 17 19:46:39 2010 +0000
2010-10-17 Cosmin Truta <ctruta at chromium.org>
Reviewed by Nikolas Zimmermann.
Crash while processing ill-formed SVG with cycles
https://bugs.webkit.org/show_bug.cgi?id=47498
Checked the behavior of the attributes fill, stroke, clip and mask
when used with URLs that point to wrong elements.
* svg/custom/invalid-paint-shape-mask.svg: Added.
* svg/custom/invalid-paint-shape-mask-expected.svg: Added.
2010-10-17 Cosmin Truta <ctruta at chromium.org>
Reviewed by Nikolas Zimmermann.
Crash while processing ill-formed SVG with cycles
https://bugs.webkit.org/show_bug.cgi?id=47498
Test: svg/custom/invalid-paint-shape-mask.svg
* rendering/SVGResources.cpp:
(paintingResourceFromSVGPaint): Ensured that the painting resource is
either a pattern resource or a gradient resource.
(SVGResources::setClipper):
(SVGResources::setFilter):
(SVGResources::setMarkerStart):
(SVGResources::setMarkerMid):
(SVGResources::setMarkerEnd):
(SVGResources::setMasker):
(SVGResources::setFill):
(SVGResources::setStroke): Added ASSERT statements for previously-unchecked
preconditions.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@69927 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index c706272..f500c76 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2010-10-17 Cosmin Truta <ctruta at chromium.org>
+
+ Reviewed by Nikolas Zimmermann.
+
+ Crash while processing ill-formed SVG with cycles
+ https://bugs.webkit.org/show_bug.cgi?id=47498
+
+ Checked the behavior of the attributes fill, stroke, clip and mask
+ when used with URLs that point to wrong elements.
+
+ * svg/custom/invalid-paint-shape-mask.svg: Added.
+ * svg/custom/invalid-paint-shape-mask-expected.svg: Added.
+
2010-10-17 Alex Milowski <alex at milowski.com>
Reviewed by Kenneth Rohde Christiansen.
diff --git a/LayoutTests/svg/custom/invalid-paint-shape-mask-expected.txt b/LayoutTests/svg/custom/invalid-paint-shape-mask-expected.txt
new file mode 100644
index 0000000..96b913b
--- /dev/null
+++ b/LayoutTests/svg/custom/invalid-paint-shape-mask-expected.txt
@@ -0,0 +1 @@
+This should not crash.
diff --git a/LayoutTests/svg/custom/invalid-paint-shape-mask.svg b/LayoutTests/svg/custom/invalid-paint-shape-mask.svg
new file mode 100644
index 0000000..ccdb461
--- /dev/null
+++ b/LayoutTests/svg/custom/invalid-paint-shape-mask.svg
@@ -0,0 +1,23 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+
+<script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+
+<filter id="invalid_paint">
+ <rect width="10" height="10" fill="url(#invalid_paint)"/>
+ <rect width="10" height="10" stroke="url(#invalid_paint)"/>
+</filter>
+
+<filter id="invalid_shape">
+ <rect width="10" height="10" clip="url(#invalid_shape)"/>
+</filter>
+
+<filter id="invalid_mask">
+ <rect width="10" height="10" mask="url(#invalid_mask)"/>
+</filter>
+
+<text x="20" y="20">This should not crash.</text>
+
+</svg>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index c6ca01f..4ab0f03 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,25 @@
+2010-10-17 Cosmin Truta <ctruta at chromium.org>
+
+ Reviewed by Nikolas Zimmermann.
+
+ Crash while processing ill-formed SVG with cycles
+ https://bugs.webkit.org/show_bug.cgi?id=47498
+
+ Test: svg/custom/invalid-paint-shape-mask.svg
+
+ * rendering/SVGResources.cpp:
+ (paintingResourceFromSVGPaint): Ensured that the painting resource is
+ either a pattern resource or a gradient resource.
+ (SVGResources::setClipper):
+ (SVGResources::setFilter):
+ (SVGResources::setMarkerStart):
+ (SVGResources::setMarkerMid):
+ (SVGResources::setMarkerEnd):
+ (SVGResources::setMasker):
+ (SVGResources::setFill):
+ (SVGResources::setStroke): Added ASSERT statements for previously-unchecked
+ preconditions.
+
2010-10-17 Alex Milowski <alex at milowski.com>
Reviewed by Kenneth Rohde Christiansen.
diff --git a/WebCore/rendering/SVGResources.cpp b/WebCore/rendering/SVGResources.cpp
index 799301b..f796f3b 100644
--- a/WebCore/rendering/SVGResources.cpp
+++ b/WebCore/rendering/SVGResources.cpp
@@ -160,11 +160,17 @@ static inline RenderSVGResourceContainer* paintingResourceFromSVGPaint(Document*
return 0;
id = SVGURIReference::getTarget(paint->uri());
- if (RenderSVGResourceContainer* container = getRenderSVGResourceContainerById(document, id))
- return container;
+ RenderSVGResourceContainer* container = getRenderSVGResourceContainerById(document, id);
+ if (!container) {
+ hasPendingResource = true;
+ return 0;
+ }
+
+ RenderSVGResourceType resourceType = container->resourceType();
+ if (resourceType != PatternResourceType && resourceType != LinearGradientResourceType && resourceType != RadialGradientResourceType)
+ return 0;
- hasPendingResource = true;
- return 0;
+ return container;
}
static inline void registerPendingResource(SVGDocumentExtensions* extensions, const AtomicString& id, SVGElement* element)
@@ -445,6 +451,8 @@ bool SVGResources::setClipper(RenderSVGResourceClipper* clipper)
if (!clipper)
return false;
+ ASSERT(clipper->resourceType() == ClipperResourceType);
+
if (!m_clipperFilterMaskerData)
m_clipperFilterMaskerData = ClipperFilterMaskerData::create();
@@ -465,6 +473,8 @@ bool SVGResources::setFilter(RenderSVGResourceFilter* filter)
if (!filter)
return false;
+ ASSERT(filter->resourceType() == FilterResourceType);
+
if (!m_clipperFilterMaskerData)
m_clipperFilterMaskerData = ClipperFilterMaskerData::create();
@@ -485,6 +495,8 @@ bool SVGResources::setMarkerStart(RenderSVGResourceMarker* markerStart)
if (!markerStart)
return false;
+ ASSERT(markerStart->resourceType() == MarkerResourceType);
+
if (!m_markerData)
m_markerData = MarkerData::create();
@@ -504,6 +516,8 @@ bool SVGResources::setMarkerMid(RenderSVGResourceMarker* markerMid)
if (!markerMid)
return false;
+ ASSERT(markerMid->resourceType() == MarkerResourceType);
+
if (!m_markerData)
m_markerData = MarkerData::create();
@@ -523,6 +537,8 @@ bool SVGResources::setMarkerEnd(RenderSVGResourceMarker* markerEnd)
if (!markerEnd)
return false;
+ ASSERT(markerEnd->resourceType() == MarkerResourceType);
+
if (!m_markerData)
m_markerData = MarkerData::create();
@@ -542,6 +558,8 @@ bool SVGResources::setMasker(RenderSVGResourceMasker* masker)
if (!masker)
return false;
+ ASSERT(masker->resourceType() == MaskerResourceType);
+
if (!m_clipperFilterMaskerData)
m_clipperFilterMaskerData = ClipperFilterMaskerData::create();
@@ -561,6 +579,10 @@ bool SVGResources::setFill(RenderSVGResourceContainer* fill)
if (!fill)
return false;
+ ASSERT(fill->resourceType() == PatternResourceType
+ || fill->resourceType() == LinearGradientResourceType
+ || fill->resourceType() == RadialGradientResourceType);
+
if (!m_fillStrokeData)
m_fillStrokeData = FillStrokeData::create();
@@ -580,6 +602,10 @@ bool SVGResources::setStroke(RenderSVGResourceContainer* stroke)
if (!stroke)
return false;
+ ASSERT(stroke->resourceType() == PatternResourceType
+ || stroke->resourceType() == LinearGradientResourceType
+ || stroke->resourceType() == RadialGradientResourceType);
+
if (!m_fillStrokeData)
m_fillStrokeData = FillStrokeData::create();
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list