[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.2.3-2-25-gb2c19be
Gustavo Noronha Silva
gns at gnome.org
Mon Sep 6 13:09:24 UTC 2010
The following commit has been merged in the debian/unstable branch:
commit a32f127d8e71ed7654261d4dac36c689fb7eaf05
Author: zimmermann at webkit.org <zimmermann at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed Jun 23 07:11:19 2010 +0000
2010-06-23 Nikolas Zimmermann <nzimmermann at rim.com>
Reviewed by Eric Seidel.
Reproducible crash in com.apple.WebCore 0x01ed3784 WebCore::RenderLineBoxList::appendLineBox(WebCore::InlineFlowBox*) + 36
https://bugs.webkit.org/show_bug.cgi?id=40953
REGRESSION (r58209-58231): Memory corruption with invalid SVG
https://bugs.webkit.org/show_bug.cgi?id=40173
Fix several crashes, all related to <foreignObject> and/or invalid SVG documents.
- Only allow <svg> nodes, as direct children of a <foreignObject>, not any other "partial" SVG content.
- Assure to create RenderSVGRoot objects for <svg> nodes in <foreignObject>, treat them as "outermost SVG elements".
- Never allow any partial SVG content to appear in any document. Only <svg> elements are allowed.
Tests: svg/custom/bug45331.svg
svg/foreignObject/disallowed-svg-nodes-as-direct-children.svg
svg/foreignObject/no-crash-with-svg-content-in-html-document.svg
svg/foreignObject/svg-document-as-direct-child.svg
svg/foreignObject/svg-document-in-html-document.svg
svg/foreignObject/text-tref-02-b.svg
* dom/Element.cpp: Added childShouldCreateRenderer, with ENABLE(SVG) guards.
(WebCore::Element::childShouldCreateRenderer): Only create a renderer for a SVG child, if we're a SVG element, or if the child is a <svg> element.
* dom/Element.h: Added childShouldCreateRenderer, with ENABLE(SVG) guards.
* svg/SVGForeignObjectElement.cpp:
(WebCore::SVGForeignObjectElement::childShouldCreateRenderer): Disallow arbitary SVG content, only <svg> elements are allowed as direct children of a <foreignObject>
* svg/SVGSVGElement.cpp:
(WebCore::SVGSVGElement::isOutermostSVG): Be sure to create RenderSVGRoot objects for <svg> elements inside <foreignObject>
2010-06-23 Nikolas Zimmermann <nzimmermann at rim.com>
Reviewed by Eric Seidel.
Reproducible crash in com.apple.WebCore 0x01ed3784 WebCore::RenderLineBoxList::appendLineBox(WebCore::InlineFlowBox*) + 36
https://bugs.webkit.org/show_bug.cgi?id=40953
REGRESSION (r58209-58231): Memory corruption with invalid SVG
https://bugs.webkit.org/show_bug.cgi?id=40173
Added several new layout tests covering the crashes with <foreignObject> and/or invalid SVG documents.
* platform/mac/svg/custom/bug45331-expected.checksum: Added.
* platform/mac/svg/custom/bug45331-expected.png: Added.
* platform/mac/svg/custom/bug45331-expected.txt: Added.
* platform/mac/svg/foreignObject: Added.
* platform/mac/svg/foreignObject/disallowed-svg-nodes-as-direct-children-expected.checksum: Added.
* platform/mac/svg/foreignObject/disallowed-svg-nodes-as-direct-children-expected.png: Added.
* platform/mac/svg/foreignObject/disallowed-svg-nodes-as-direct-children-expected.txt: Added.
* platform/mac/svg/foreignObject/no-crash-with-svg-content-in-html-document-expected.checksum: Added.
* platform/mac/svg/foreignObject/no-crash-with-svg-content-in-html-document-expected.png: Added.
* platform/mac/svg/foreignObject/no-crash-with-svg-content-in-html-document-expected.txt: Added.
* platform/mac/svg/foreignObject/svg-document-as-direct-child-expected.checksum: Added.
* platform/mac/svg/foreignObject/svg-document-as-direct-child-expected.png: Added.
* platform/mac/svg/foreignObject/svg-document-as-direct-child-expected.txt: Added.
* platform/mac/svg/foreignObject/svg-document-in-html-document-expected.checksum: Added.
* platform/mac/svg/foreignObject/svg-document-in-html-document-expected.png: Added.
* platform/mac/svg/foreignObject/svg-document-in-html-document-expected.txt: Added.
* platform/mac/svg/foreignObject/text-tref-02-b-expected.checksum: Added.
* platform/mac/svg/foreignObject/text-tref-02-b-expected.png: Added.
* platform/mac/svg/foreignObject/text-tref-02-b-expected.txt: Added.
* svg/custom/bug45331.svg: Added.
* svg/foreignObject: Added.
* svg/foreignObject/disallowed-svg-nodes-as-direct-children.svg: Added.
* svg/foreignObject/no-crash-with-svg-content-in-html-document.svg: Added.
* svg/foreignObject/svg-document-as-direct-child.svg: Added.
* svg/foreignObject/svg-document-in-html-document.svg: Added.
* svg/foreignObject/text-tref-02-b.svg: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@61667 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 919e0af..e93559b 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,42 @@
+2010-06-23 Nikolas Zimmermann <nzimmermann at rim.com>
+
+ Reviewed by Eric Seidel.
+
+ Reproducible crash in com.apple.WebCore 0x01ed3784 WebCore::RenderLineBoxList::appendLineBox(WebCore::InlineFlowBox*) + 36
+ https://bugs.webkit.org/show_bug.cgi?id=40953
+
+ REGRESSION (r58209-58231): Memory corruption with invalid SVG
+ https://bugs.webkit.org/show_bug.cgi?id=40173
+
+ Added several new layout tests covering the crashes with <foreignObject> and/or invalid SVG documents.
+
+ * platform/mac/svg/custom/bug45331-expected.checksum: Added.
+ * platform/mac/svg/custom/bug45331-expected.png: Added.
+ * platform/mac/svg/custom/bug45331-expected.txt: Added.
+ * platform/mac/svg/foreignObject: Added.
+ * platform/mac/svg/foreignObject/disallowed-svg-nodes-as-direct-children-expected.checksum: Added.
+ * platform/mac/svg/foreignObject/disallowed-svg-nodes-as-direct-children-expected.png: Added.
+ * platform/mac/svg/foreignObject/disallowed-svg-nodes-as-direct-children-expected.txt: Added.
+ * platform/mac/svg/foreignObject/no-crash-with-svg-content-in-html-document-expected.checksum: Added.
+ * platform/mac/svg/foreignObject/no-crash-with-svg-content-in-html-document-expected.png: Added.
+ * platform/mac/svg/foreignObject/no-crash-with-svg-content-in-html-document-expected.txt: Added.
+ * platform/mac/svg/foreignObject/svg-document-as-direct-child-expected.checksum: Added.
+ * platform/mac/svg/foreignObject/svg-document-as-direct-child-expected.png: Added.
+ * platform/mac/svg/foreignObject/svg-document-as-direct-child-expected.txt: Added.
+ * platform/mac/svg/foreignObject/svg-document-in-html-document-expected.checksum: Added.
+ * platform/mac/svg/foreignObject/svg-document-in-html-document-expected.png: Added.
+ * platform/mac/svg/foreignObject/svg-document-in-html-document-expected.txt: Added.
+ * platform/mac/svg/foreignObject/text-tref-02-b-expected.checksum: Added.
+ * platform/mac/svg/foreignObject/text-tref-02-b-expected.png: Added.
+ * platform/mac/svg/foreignObject/text-tref-02-b-expected.txt: Added.
+ * svg/custom/bug45331.svg: Added.
+ * svg/foreignObject: Added.
+ * svg/foreignObject/disallowed-svg-nodes-as-direct-children.svg: Added.
+ * svg/foreignObject/no-crash-with-svg-content-in-html-document.svg: Added.
+ * svg/foreignObject/svg-document-as-direct-child.svg: Added.
+ * svg/foreignObject/svg-document-in-html-document.svg: Added.
+ * svg/foreignObject/text-tref-02-b.svg: Added.
+
2010-06-11 Simon Fraser <simon.fraser at apple.com>
Add expected result missing from the previous commit.
diff --git a/LayoutTests/platform/mac-tiger/svg/custom/mask-excessive-malloc-expected.checksum b/LayoutTests/platform/mac/svg/foreignObject/disallowed-svg-nodes-as-direct-children-expected.checksum
similarity index 100%
copy from LayoutTests/platform/mac-tiger/svg/custom/mask-excessive-malloc-expected.checksum
copy to LayoutTests/platform/mac/svg/foreignObject/disallowed-svg-nodes-as-direct-children-expected.checksum
diff --git a/LayoutTests/platform/mac/svg/foreignObject/disallowed-svg-nodes-as-direct-children-expected.txt b/LayoutTests/platform/mac/svg/foreignObject/disallowed-svg-nodes-as-direct-children-expected.txt
new file mode 100644
index 0000000..f89938e
--- /dev/null
+++ b/LayoutTests/platform/mac/svg/foreignObject/disallowed-svg-nodes-as-direct-children-expected.txt
@@ -0,0 +1,5 @@
+layer at (0,0) size 800x600
+ RenderView at (0,0) size 800x600
+layer at (0,0) size 800x600
+ RenderSVGRoot {svg} at (0,0) size 800x600
+ RenderForeignObject {foreignObject} at (0,0) size 300x100
diff --git a/LayoutTests/platform/mac/svg/foreignObject/no-crash-with-svg-content-in-html-document-expected.checksum b/LayoutTests/platform/mac/svg/foreignObject/no-crash-with-svg-content-in-html-document-expected.checksum
new file mode 100644
index 0000000..d63772c
--- /dev/null
+++ b/LayoutTests/platform/mac/svg/foreignObject/no-crash-with-svg-content-in-html-document-expected.checksum
@@ -0,0 +1 @@
+b658d3879cfe6e5e96b818fdce588511
\ No newline at end of file
diff --git a/LayoutTests/platform/mac/svg/foreignObject/no-crash-with-svg-content-in-html-document-expected.png b/LayoutTests/platform/mac/svg/foreignObject/no-crash-with-svg-content-in-html-document-expected.png
new file mode 100644
index 0000000..8862dc1
Binary files /dev/null and b/LayoutTests/platform/mac/svg/foreignObject/no-crash-with-svg-content-in-html-document-expected.png differ
diff --git a/LayoutTests/platform/mac/svg/foreignObject/no-crash-with-svg-content-in-html-document-expected.txt b/LayoutTests/platform/mac/svg/foreignObject/no-crash-with-svg-content-in-html-document-expected.txt
new file mode 100644
index 0000000..cb918b7
--- /dev/null
+++ b/LayoutTests/platform/mac/svg/foreignObject/no-crash-with-svg-content-in-html-document-expected.txt
@@ -0,0 +1,12 @@
+layer at (0,0) size 800x600
+ RenderView at (0,0) size 800x600
+layer at (0,0) size 800x600
+ RenderSVGRoot {svg} at (0,0) size 800x600
+ RenderForeignObject {foreignObject} at (0,0) size 300x100
+ RenderBlock {html} at (0,0) size 300x18
+ RenderBlock {p} at (0,0) size 300x18
+ RenderText {#text} at (0,0) size 135x18
+ text run at (0,0) width 135: "This should not crash"
+ RenderBlock (anonymous) at (0,34) size 300x0
+ RenderInline {g} at (0,0) size 0x0
+ RenderText {#text} at (0,0) size 0x0
diff --git a/LayoutTests/platform/mac/svg/foreignObject/svg-document-as-direct-child-expected.checksum b/LayoutTests/platform/mac/svg/foreignObject/svg-document-as-direct-child-expected.checksum
new file mode 100644
index 0000000..e558c6b
--- /dev/null
+++ b/LayoutTests/platform/mac/svg/foreignObject/svg-document-as-direct-child-expected.checksum
@@ -0,0 +1 @@
+dce37069fc9324a7f0b8f1b4921cf491
\ No newline at end of file
diff --git a/LayoutTests/platform/mac/svg/foreignObject/svg-document-as-direct-child-expected.png b/LayoutTests/platform/mac/svg/foreignObject/svg-document-as-direct-child-expected.png
new file mode 100644
index 0000000..d061dcf
Binary files /dev/null and b/LayoutTests/platform/mac/svg/foreignObject/svg-document-as-direct-child-expected.png differ
diff --git a/LayoutTests/platform/mac/svg/foreignObject/svg-document-as-direct-child-expected.txt b/LayoutTests/platform/mac/svg/foreignObject/svg-document-as-direct-child-expected.txt
new file mode 100644
index 0000000..03267a2
--- /dev/null
+++ b/LayoutTests/platform/mac/svg/foreignObject/svg-document-as-direct-child-expected.txt
@@ -0,0 +1,19 @@
+layer at (0,0) size 800x600
+ RenderView at (0,0) size 800x600
+layer at (0,0) size 800x600
+ RenderSVGRoot {svg} at (0,0) size 800x600
+ RenderForeignObject {foreignObject} at (0,0) size 300x100
+ RenderSVGRoot {svg} at (0,0) size 300x600
+ RenderSVGContainer {g} at (0,6) size 33x18
+ RenderSVGText {text} at (0,6) size 33x18 contains 1 chunk(s)
+ RenderSVGInlineText {#text} at (0,0) size 33x18
+ chunk 1 text run 1 at (0.00,20.00) startOffset 0 endOffset 5 width 33.00: "crash"
+ RenderText {#text} at (0,0) size 0x0
+ RenderForeignObject {foreignObject} at (0,50) size 300x100
+ RenderSVGRoot {svg} at (0,50) size 300x550
+ RenderPath {rect} at (0,50) size 100x100 [fill={[type=SOLID] [color=#008000]}] [data="M0.00,0.00 L100.00,0.00 L100.00,100.00 L0.00,100.00 Z"]
+ RenderText {#text} at (0,0) size 0x0
+ RenderForeignObject {foreignObject} at (0,150) size 300x100
+ RenderSVGRoot {svg} at (0,150) size 300x450
+ RenderPath {rect} at (0,150) size 100x100 [fill={[type=SOLID] [color=#008000]}] [data="M0.00,0.00 L100.00,0.00 L100.00,100.00 L0.00,100.00 Z"]
+ RenderText {#text} at (0,0) size 0x0
diff --git a/LayoutTests/platform/mac/svg/foreignObject/svg-document-in-html-document-expected.checksum b/LayoutTests/platform/mac/svg/foreignObject/svg-document-in-html-document-expected.checksum
new file mode 100644
index 0000000..ca65798
--- /dev/null
+++ b/LayoutTests/platform/mac/svg/foreignObject/svg-document-in-html-document-expected.checksum
@@ -0,0 +1 @@
+ec7fc2acc3b0cb92e8b1a8342c19b88d
\ No newline at end of file
diff --git a/LayoutTests/platform/mac/svg/foreignObject/svg-document-in-html-document-expected.png b/LayoutTests/platform/mac/svg/foreignObject/svg-document-in-html-document-expected.png
new file mode 100644
index 0000000..21eedc2
Binary files /dev/null and b/LayoutTests/platform/mac/svg/foreignObject/svg-document-in-html-document-expected.png differ
diff --git a/LayoutTests/platform/mac/svg/foreignObject/svg-document-in-html-document-expected.txt b/LayoutTests/platform/mac/svg/foreignObject/svg-document-in-html-document-expected.txt
new file mode 100644
index 0000000..bde8324
--- /dev/null
+++ b/LayoutTests/platform/mac/svg/foreignObject/svg-document-in-html-document-expected.txt
@@ -0,0 +1,16 @@
+layer at (0,0) size 800x600
+ RenderView at (0,0) size 800x600
+layer at (0,0) size 800x600
+ RenderSVGRoot {svg} at (0,0) size 800x600
+ RenderForeignObject {foreignObject} at (0,0) size 300x100
+ RenderBlock {html} at (0,0) size 300x638
+ RenderBlock {p} at (0,0) size 300x18
+ RenderText {#text} at (0,0) size 218x18
+ text run at (0,0) width 218: "Test from HTML in foreignObject"
+ RenderBlock (anonymous) at (0,34) size 300x604
+ RenderSVGRoot {svg} at (0,34) size 300x566
+ RenderPath {rect} at (0,34) size 20x20 [fill={[type=SOLID] [color=#008000]}] [data="M0.00,0.00 L20.00,0.00 L20.00,20.00 L0.00,20.00 Z"]
+ RenderSVGText {text} at (0,36) size 271x18 contains 1 chunk(s)
+ RenderSVGInlineText {#text} at (0,0) size 271x18
+ chunk 1 text run 1 at (0.00,50.00) startOffset 0 endOffset 38 width 271.00: "Test from SVG in HTML in foreignObject"
+ RenderText {#text} at (0,0) size 0x0
diff --git a/LayoutTests/platform/mac/svg/foreignObject/text-tref-02-b-expected.checksum b/LayoutTests/platform/mac/svg/foreignObject/text-tref-02-b-expected.checksum
new file mode 100644
index 0000000..8c8348c
--- /dev/null
+++ b/LayoutTests/platform/mac/svg/foreignObject/text-tref-02-b-expected.checksum
@@ -0,0 +1 @@
+e6217efb0d62dbcdeef1c6aa54685463
\ No newline at end of file
diff --git a/LayoutTests/platform/mac/svg/foreignObject/text-tref-02-b-expected.png b/LayoutTests/platform/mac/svg/foreignObject/text-tref-02-b-expected.png
new file mode 100644
index 0000000..14fbe20
Binary files /dev/null and b/LayoutTests/platform/mac/svg/foreignObject/text-tref-02-b-expected.png differ
diff --git a/LayoutTests/platform/mac/svg/foreignObject/text-tref-02-b-expected.txt b/LayoutTests/platform/mac/svg/foreignObject/text-tref-02-b-expected.txt
new file mode 100644
index 0000000..80d4e13
--- /dev/null
+++ b/LayoutTests/platform/mac/svg/foreignObject/text-tref-02-b-expected.txt
@@ -0,0 +1,26 @@
+layer at (0,0) size 800x600
+ RenderView at (0,0) size 800x600
+layer at (0,0) size 800x600
+ RenderSVGRoot {svg} at (0,0) size 800x600
+ RenderSVGHiddenContainer {defs} at (0,0) size 0x0
+ RenderSVGContainer {g} at (125,23) size 572x24
+ RenderSVGText {text} at (75,14) size 343x14 contains 1 chunk(s)
+ RenderSVGInlineText {#text} at (0,0) size 343x14
+ chunk 1 text run 1 at (75.00,25.00) startOffset 0 endOffset 63 width 343.00: "Test 'tref' element pointing outside the SVG document fragment."
+ RenderSVGText {text}
+ RenderSVGInline {tref} at (0,0) size 0x0
+ RenderSVGInlineText {#text} at (0,0) size 0x0
+ RenderSVGInline {tref} at (0,0) size 0x0
+ RenderSVGInlineText {#text} at (0,0) size 0x0
+ RenderSVGHiddenContainer {defs} at (0,0) size 0x0
+ RenderForeignObject {foreignObject} at (0,0) size 0x0
+ RenderSVGRoot {svg} at (0,0) size 0x0
+ RenderSVGText {text} at (0,-17) size 41x21 contains 1 chunk(s)
+ RenderSVGInlineText {#text} at (0,0) size 41x21
+ chunk 1 text run 1 at (0.00,0.00) startOffset 0 endOffset 5 width 41.00: "Hello"
+ RenderText {#text} at (0,0) size 0x0
+ RenderSVGContainer {g} at (16,516) size 386x63
+ RenderSVGText {text} at (10,310) size 231x37 contains 1 chunk(s)
+ RenderSVGInlineText {#text} at (0,0) size 231x37
+ chunk 1 text run 1 at (10.00,340.00) startOffset 0 endOffset 16 width 231.00: "$Revision: 1.5 $"
+ RenderPath {rect} at (0,0) size 800x600 [stroke={[type=SOLID] [color=#000000]}] [data="M1.00,1.00 L479.00,1.00 L479.00,359.00 L1.00,359.00 Z"]
diff --git a/LayoutTests/svg/foreignObject/disallowed-svg-nodes-as-direct-children.svg b/LayoutTests/svg/foreignObject/disallowed-svg-nodes-as-direct-children.svg
new file mode 100644
index 0000000..f19b917
--- /dev/null
+++ b/LayoutTests/svg/foreignObject/disallowed-svg-nodes-as-direct-children.svg
@@ -0,0 +1,7 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+<!-- There shouldn't be any child render objects created for the foreignObject element, as partial SVG content in foreignObject -->
+<foreignObject width="300" height="100">
+ <g><text>This should not crash</text></g>
+ <g xmlns="http://www.w3.org/2000/svg"><rect/></g>
+</foreignObject>
+</svg>
diff --git a/LayoutTests/svg/foreignObject/no-crash-with-svg-content-in-html-document.svg b/LayoutTests/svg/foreignObject/no-crash-with-svg-content-in-html-document.svg
new file mode 100644
index 0000000..5f70c2d
--- /dev/null
+++ b/LayoutTests/svg/foreignObject/no-crash-with-svg-content-in-html-document.svg
@@ -0,0 +1,12 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+<!-- Only valid svg subdocuments (enclosed by <svg xmlns="svgNS">) are allowed in fO documents. No renderers should be created for <g> and children -->
+<foreignObject width="300" height="100">
+ <html xmlns="http://www.w3.org/1999/xhtml">
+ <p>This should not crash</p>
+ <g xmlns="http://www.w3.org/2000/svg">
+ <text y="20">This should not be shown</text>
+ </g>
+ <g/>
+ </html>
+</foreignObject>
+</svg>
diff --git a/LayoutTests/svg/foreignObject/svg-document-as-direct-child.svg b/LayoutTests/svg/foreignObject/svg-document-as-direct-child.svg
new file mode 100644
index 0000000..1edb02f
--- /dev/null
+++ b/LayoutTests/svg/foreignObject/svg-document-as-direct-child.svg
@@ -0,0 +1,21 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+<!-- Renderes should be created for all elements in the fO subtree -->
+<foreignObject width="300" height="100">
+ <svg xmlns="http://www.w3.org/2000/svg">
+ <g><text y="20">crash</text></g>
+ </svg>
+</foreignObject>
+
+<foreignObject y="50" width="300" height="100">
+ <svg xmlns="http://www.w3.org/2000/svg">
+ <rect fill="green" width="100" height="100"/>
+ </svg>
+</foreignObject>
+
+<foreignObject y="150" width="300" height="100">
+ <!-- This is in SVG namespace, as it's inherited from the top svg element -->
+ <svg>
+ <rect fill="green" width="100" height="100"/>
+ </svg>
+</foreignObject>
+</svg>
diff --git a/LayoutTests/svg/foreignObject/svg-document-in-html-document.svg b/LayoutTests/svg/foreignObject/svg-document-in-html-document.svg
new file mode 100644
index 0000000..3549a59
--- /dev/null
+++ b/LayoutTests/svg/foreignObject/svg-document-in-html-document.svg
@@ -0,0 +1,11 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+<foreignObject width="300" height="100">
+ <html xmlns="http://www.w3.org/1999/xhtml">
+ <p>Test from HTML in foreignObject</p>
+ <svg xmlns="http://www.w3.org/2000/svg">
+ <rect width="20" height="20" fill="green"/>
+ <text y="50">Test from SVG in HTML in foreignObject</text>
+ </svg>
+ </html>
+</foreignObject>
+</svg>
diff --git a/LayoutTests/svg/foreignObject/text-tref-02-b.svg b/LayoutTests/svg/foreignObject/text-tref-02-b.svg
new file mode 100644
index 0000000..7773c95
--- /dev/null
+++ b/LayoutTests/svg/foreignObject/text-tref-02-b.svg
@@ -0,0 +1,79 @@
+<!DOCTYPE svg [
+<!ATTLIST bar id ID #REQUIRED>
+]>
+<svg version="1.1" baseProfile="basic" id="svg-root"
+ width="100%" height="100%" viewBox="0 0 480 360"
+ xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+ <!--======================================================================-->
+ <!--= SVG 1.1 2nd Edition Test Case =-->
+ <!--======================================================================-->
+ <!--= Copyright 2009 World Wide Web Consortium, (Massachusetts =-->
+ <!--= Institute of Technology, European Research Consortium for =-->
+ <!--= Informatics and Mathematics (ERCIM), Keio University). =-->
+ <!--= All Rights Reserved. =-->
+ <!--= See http://www.w3.org/Consortium/Legal/. =-->
+ <!--======================================================================-->
+ <d:SVGTestCase xmlns:d="http://www.w3.org/2000/02/svg/testsuite/description/"
+ template-version="1.4" reviewer="ED" author="CL" status="accepted"
+ version="$Revision: 1.5 $" testname="$RCSfile: text-tref-02-b.svg,v $">
+ <d:testDescription xmlns="http://www.w3.org/1999/xhtml" href="http://www.w3.org/TR/SVG11/text.html#TRefElement">
+ <p>
+ Test viewer capability to handle 'tref' elements
+ which point to text strings outside the current SVG document fragment.
+ </p>
+ <p>
+ The test case consists of two sub-tests; one results in the word "Hello" and the second, the word "World".
+ </p>
+ </d:testDescription>
+ <d:operatorScript xmlns="http://www.w3.org/1999/xhtml">
+ <p>
+ Run the test. No interaction required.
+ </p>
+ </d:operatorScript>
+ <d:passCriteria xmlns="http://www.w3.org/1999/xhtml">
+ <p>
+ The test is passed if the phrase "Hello World" is displayed, in green.
+ </p>
+ </d:passCriteria>
+ </d:SVGTestCase>
+ <title id="test-title">$RCSfile: text-tref-02-b.svg,v $</title>
+ <defs>
+ <font-face font-family="SVGFreeSansASCII" unicode-range="U+0-7F">
+ <font-face-src>
+ <font-face-uri xlink:href="../resources/SVGFreeSans.svg#ascii"/>
+ </font-face-src>
+ </font-face>
+ </defs>
+ <g id="test-body-content" font-family="SVGFreeSansASCII,sans-serif" font-size="18">
+ <!-- Test case label -->
+ <text x="75" y="25" font-family="SVGFreeSansASCII,sans-serif" font-size="12" fill="blue">Test 'tref' element pointing outside the SVG document fragment.</text>
+
+ <text x="75" y="200" font-size="36" font-family="SVGFreeSansASCII,sans-serif" fill="green">
+ <tref xlink:href="#hello"/>
+ <tref xlink:href="#world"/>
+ </text>
+<!-- now make a new SVG document fragment, and hide it from being rendered -->
+<defs>
+ <foreignObject>
+ <svg>
+ <text id="hello">Hello</text>
+ </svg>
+ </foreignObject>
+</defs>
+<!-- and another way to make a separate document fragment -->
+<foo xmlns="http://example.org/foo">
+ <bar id="world">World</bar>
+</foo>
+
+ </g>
+ <g font-family="SVGFreeSansASCII,sans-serif" font-size="32">
+ <text id="revision" x="10" y="340" stroke="none" fill="black">$Revision: 1.5 $</text>
+ </g>
+ <rect id="test-frame" x="1" y="1" width="478" height="358" fill="none" stroke="#000000"/>
+ <!-- comment out this watermark once the test is approved -->
+ <!--<g id="draft-watermark">
+ <rect x="1" y="1" width="478" height="20" fill="red" stroke="black" stroke-width="1"/>
+ <text font-family="SVGFreeSansASCII,sans-serif" font-weight="bold" font-size="20" x="240"
+ text-anchor="middle" y="18" stroke-width="0.5" stroke="black" fill="white">DRAFT</text>
+ </g>-->
+</svg>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 595bcfd..d24485f 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,33 @@
+2010-06-23 Nikolas Zimmermann <nzimmermann at rim.com>
+
+ Reviewed by Eric Seidel.
+
+ Reproducible crash in com.apple.WebCore 0x01ed3784 WebCore::RenderLineBoxList::appendLineBox(WebCore::InlineFlowBox*) + 36
+ https://bugs.webkit.org/show_bug.cgi?id=40953
+
+ REGRESSION (r58209-58231): Memory corruption with invalid SVG
+ https://bugs.webkit.org/show_bug.cgi?id=40173
+
+ Fix several crashes, all related to <foreignObject> and/or invalid SVG documents.
+ - Only allow <svg> nodes, as direct children of a <foreignObject>, not any other "partial" SVG content.
+ - Assure to create RenderSVGRoot objects for <svg> nodes in <foreignObject>, treat them as "outermost SVG elements".
+ - Never allow any partial SVG content to appear in any document. Only <svg> elements are allowed.
+
+ Tests: svg/custom/bug45331.svg
+ svg/foreignObject/disallowed-svg-nodes-as-direct-children.svg
+ svg/foreignObject/no-crash-with-svg-content-in-html-document.svg
+ svg/foreignObject/svg-document-as-direct-child.svg
+ svg/foreignObject/svg-document-in-html-document.svg
+ svg/foreignObject/text-tref-02-b.svg
+
+ * dom/Element.cpp: Added childShouldCreateRenderer, with ENABLE(SVG) guards.
+ (WebCore::Element::childShouldCreateRenderer): Only create a renderer for a SVG child, if we're a SVG element, or if the child is a <svg> element.
+ * dom/Element.h: Added childShouldCreateRenderer, with ENABLE(SVG) guards.
+ * svg/SVGForeignObjectElement.cpp:
+ (WebCore::SVGForeignObjectElement::childShouldCreateRenderer): Disallow arbitary SVG content, only <svg> elements are allowed as direct children of a <foreignObject>
+ * svg/SVGSVGElement.cpp:
+ (WebCore::SVGSVGElement::isOutermostSVG): Be sure to create RenderSVGRoot objects for <svg> elements inside <foreignObject>
+
2010-06-10 Abhishek Arya <inferno at chromium.org>
Reviewed by Dave Hyatt.
diff --git a/WebCore/dom/Element.cpp b/WebCore/dom/Element.cpp
index 8967f14..3ba30bb 100644
--- a/WebCore/dom/Element.cpp
+++ b/WebCore/dom/Element.cpp
@@ -1540,4 +1540,15 @@ const QualifiedName& Element::rareIDAttributeName() const
return rareData()->m_idAttributeName;
}
+#if ENABLE(SVG)
+bool Element::childShouldCreateRenderer(Node* child) const
+{
+ // Only create renderers for SVG elements whose parents are SVG elements, or for proper <svg xmlns="svgNS"> subdocuments.
+ if (child->isSVGElement())
+ return child->hasTagName(SVGNames::svgTag) || isSVGElement();
+
+ return Node::childShouldCreateRenderer(child);
+}
+#endif
+
} // namespace WebCore
diff --git a/WebCore/dom/Element.h b/WebCore/dom/Element.h
index 348ed1c..36c4f1b 100644
--- a/WebCore/dom/Element.h
+++ b/WebCore/dom/Element.h
@@ -270,6 +270,10 @@ public:
virtual void dispatchFormControlChangeEvent() { }
+#if ENABLE(SVG)
+ virtual bool childShouldCreateRenderer(Node*) const;
+#endif
+
protected:
Element(const QualifiedName&, Document*, ConstructionType);
diff --git a/WebCore/svg/SVGForeignObjectElement.cpp b/WebCore/svg/SVGForeignObjectElement.cpp
index d28e2a4..e7b5389 100644
--- a/WebCore/svg/SVGForeignObjectElement.cpp
+++ b/WebCore/svg/SVGForeignObjectElement.cpp
@@ -125,6 +125,10 @@ RenderObject* SVGForeignObjectElement::createRenderer(RenderArena* arena, Render
bool SVGForeignObjectElement::childShouldCreateRenderer(Node* child) const
{
+ // Disallow arbitary SVG content. Only allow proper <svg xmlns="svgNS"> subdocuments.
+ if (child->isSVGElement())
+ return child->hasTagName(SVGNames::svgTag);
+
// Skip over SVG rules which disallow non-SVG kids
return StyledElement::childShouldCreateRenderer(child);
}
diff --git a/WebCore/svg/SVGSVGElement.cpp b/WebCore/svg/SVGSVGElement.cpp
index 4c06008..5237715 100644
--- a/WebCore/svg/SVGSVGElement.cpp
+++ b/WebCore/svg/SVGSVGElement.cpp
@@ -538,6 +538,10 @@ bool SVGSVGElement::isOutermostSVG() const
if (!parentNode())
return true;
+ // We act like an outermost SVG element, if we're a direct child of a <foreignObject> element.
+ if (parentNode()->hasTagName(SVGNames::foreignObjectTag))
+ return true;
+
// This is true whenever this is the outermost SVG, even if there are HTML elements outside it
return !parentNode()->isSVGElement();
}
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list