[webkit-changes] [132724] trunk

Sat, 27 Oct 2012 00:00:12 -0700

Title: [132724] trunk
Revision
132724
Author
p...@google.com
Date
2012-10-27 00:01:34 -0700 (Sat, 27 Oct 2012)

Log Message

Prevent NaN offset values in ElementTimeControl.
https://bugs.webkit.org/show_bug.cgi?id=100322

Reviewed by Abhishek Arya.

Source/WebCore:

NaN values can cause ElementTimeControl to go back in time!
If a value of NaN is passed to ElementTimeControl::beginElementAt(offset),
subsequent sorting will cause an assert in SVGSMILElement::findInstanceTime
because NaN values are not properly sorted. NaN SMILTime values
should not be allowed at all, so this patch adds a check for them in
ElementTimeControl's setters.

This patch also adds preventative asserts to catch if SMILTime is ever
initialized with NaN, or if addEndTime/addBeginTime are ever called
with NaN values.

Test: svg/custom/elementTimeControl-nan-crash.html

* svg/SVGAnimationElement.cpp:
(WebCore::SVGAnimationElement::beginElementAt):
(WebCore::SVGAnimationElement::endElementAt):
* svg/animation/SMILTime.h:
(WebCore::SMILTime::SMILTime):
* svg/animation/SVGSMILElement.cpp:
(WebCore::SVGSMILElement::addBeginTime):
(WebCore::SVGSMILElement::addEndTime):

LayoutTests:

* svg/custom/elementTimeControl-nan-crash-expected.txt: Added.
* svg/custom/elementTimeControl-nan-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (132723 => 132724)


--- trunk/LayoutTests/ChangeLog	2012-10-27 06:55:17 UTC (rev 132723)
+++ trunk/LayoutTests/ChangeLog	2012-10-27 07:01:34 UTC (rev 132724)
@@ -1,3 +1,13 @@
+2012-10-26  Philip Rogers  <p...@google.com>
+
+        Prevent NaN offset values in ElementTimeControl.
+        https://bugs.webkit.org/show_bug.cgi?id=100322
+
+        Reviewed by Abhishek Arya.
+
+        * svg/custom/elementTimeControl-nan-crash-expected.txt: Added.
+        * svg/custom/elementTimeControl-nan-crash.html: Added.
+
 2012-10-26  Csaba Osztrogonác  <o...@webkit.org>
 
         [Qt] Unreviewed weekend gardening, skip new failing tests.

Added: trunk/LayoutTests/svg/custom/elementTimeControl-nan-crash-expected.txt (0 => 132724)


--- trunk/LayoutTests/svg/custom/elementTimeControl-nan-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/svg/custom/elementTimeControl-nan-crash-expected.txt	2012-10-27 07:01:34 UTC (rev 132724)
@@ -0,0 +1 @@
+Test for WK100322: ElementTimeControl should check for invalid values. This test passes if it does not crash.

Added: trunk/LayoutTests/svg/custom/elementTimeControl-nan-crash.html (0 => 132724)


--- trunk/LayoutTests/svg/custom/elementTimeControl-nan-crash.html	                        (rev 0)
+++ trunk/LayoutTests/svg/custom/elementTimeControl-nan-crash.html	2012-10-27 07:01:34 UTC (rev 132724)
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+    function crash() {
+        var animate = document.getElementById('animate');
+        var svg = document.getElementById('svg');
+        animate.endElementAt(NaN);
+        animate.beginElementAt(NaN);
+        svg.setCurrentTime(2);
+        if (window.testRunner)
+            testRunner.dumpAsText();
+    }
+</script>
+</head>
+<body _onload_="crash()">
+Test for WK100322: ElementTimeControl should check for invalid values. This test passes if it does not crash.
+
+<svg id="svg" width="200" height="200">
+    <rect x="0" y="0" width="100" height="100" fill="green">
+        <animate id="animate" attributeName="x" to="200" begin="3s"/>
+    </rect>
+</svg>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (132723 => 132724)


--- trunk/Source/WebCore/ChangeLog	2012-10-27 06:55:17 UTC (rev 132723)
+++ trunk/Source/WebCore/ChangeLog	2012-10-27 07:01:34 UTC (rev 132724)
@@ -1,3 +1,32 @@
+2012-10-26  Philip Rogers  <p...@google.com>
+
+        Prevent NaN offset values in ElementTimeControl.
+        https://bugs.webkit.org/show_bug.cgi?id=100322
+
+        Reviewed by Abhishek Arya.
+
+        NaN values can cause ElementTimeControl to go back in time!
+        If a value of NaN is passed to ElementTimeControl::beginElementAt(offset),
+        subsequent sorting will cause an assert in SVGSMILElement::findInstanceTime
+        because NaN values are not properly sorted. NaN SMILTime values
+        should not be allowed at all, so this patch adds a check for them in
+        ElementTimeControl's setters.
+ 
+        This patch also adds preventative asserts to catch if SMILTime is ever
+        initialized with NaN, or if addEndTime/addBeginTime are ever called
+        with NaN values.
+
+        Test: svg/custom/elementTimeControl-nan-crash.html
+
+        * svg/SVGAnimationElement.cpp:
+        (WebCore::SVGAnimationElement::beginElementAt):
+        (WebCore::SVGAnimationElement::endElementAt):
+        * svg/animation/SMILTime.h:
+        (WebCore::SMILTime::SMILTime):
+        * svg/animation/SVGSMILElement.cpp:
+        (WebCore::SVGSMILElement::addBeginTime):
+        (WebCore::SVGSMILElement::addEndTime):
+
 2012-10-26  Charles Wei  <charles....@torchmobile.com.cn>
 
         [BlackBerry] Browser prematurely sends wrong credentials

Modified: trunk/Source/WebCore/svg/SVGAnimationElement.cpp (132723 => 132724)


--- trunk/Source/WebCore/svg/SVGAnimationElement.cpp	2012-10-27 06:55:17 UTC (rev 132723)
+++ trunk/Source/WebCore/svg/SVGAnimationElement.cpp	2012-10-27 07:01:34 UTC (rev 132724)
@@ -39,6 +39,7 @@
 #include "SVGNames.h"
 #include "SVGParserUtilities.h"
 #include "SVGStyledElement.h"
+#include <wtf/MathExtras.h>
 
 namespace WebCore {
 
@@ -240,6 +241,8 @@
 
 void SVGAnimationElement::beginElementAt(float offset)
 {
+    if (isnan(offset))
+        return;
     SMILTime elapsed = this->elapsed();
     addBeginTime(elapsed, elapsed + offset, SMILTimeWithOrigin::ScriptOrigin);
 }
@@ -251,6 +254,8 @@
 
 void SVGAnimationElement::endElementAt(float offset)
 {
+    if (isnan(offset))
+        return;
     SMILTime elapsed = this->elapsed();
     addEndTime(elapsed, elapsed + offset, SMILTimeWithOrigin::ScriptOrigin);
 }

Modified: trunk/Source/WebCore/svg/animation/SMILTime.h (132723 => 132724)


--- trunk/Source/WebCore/svg/animation/SMILTime.h	2012-10-27 06:55:17 UTC (rev 132723)
+++ trunk/Source/WebCore/svg/animation/SMILTime.h	2012-10-27 07:01:34 UTC (rev 132724)
@@ -29,13 +29,14 @@
 #if ENABLE(SVG)
 
 #include <algorithm>
+#include <wtf/MathExtras.h>
 
 namespace WebCore {
 
 class SMILTime {
 public:
     SMILTime() : m_time(0) { }
-    SMILTime(double time) : m_time(time) { }
+    SMILTime(double time) : m_time(time) { ASSERT(!isnan(time)); }
     SMILTime(const SMILTime& o) : m_time(o.m_time) { }
     
     static SMILTime unresolved() { return unresolvedValue; }

Modified: trunk/Source/WebCore/svg/animation/SVGSMILElement.cpp (132723 => 132724)


--- trunk/Source/WebCore/svg/animation/SVGSMILElement.cpp	2012-10-27 06:55:17 UTC (rev 132723)
+++ trunk/Source/WebCore/svg/animation/SVGSMILElement.cpp	2012-10-27 07:01:34 UTC (rev 132724)
@@ -713,6 +713,7 @@
 
 void SVGSMILElement::addBeginTime(SMILTime eventTime, SMILTime beginTime, SMILTimeWithOrigin::Origin origin)
 {
+    ASSERT(!isnan(beginTime.value()));
     m_beginTimes.append(SMILTimeWithOrigin(beginTime, origin));
     sortTimeList(m_beginTimes);
     beginListChanged(eventTime);
@@ -720,6 +721,7 @@
 
 void SVGSMILElement::addEndTime(SMILTime eventTime, SMILTime endTime, SMILTimeWithOrigin::Origin origin)
 {
+    ASSERT(!isnan(endTime.value()));
     m_endTimes.append(SMILTimeWithOrigin(endTime, origin));
     sortTimeList(m_endTimes);
     endListChanged(eventTime);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to