Diff
Modified: branches/safari-536.26-branch/ChangeLog (124042 => 124043)
--- branches/safari-536.26-branch/ChangeLog 2012-07-30 17:22:35 UTC (rev 124042)
+++ branches/safari-536.26-branch/ChangeLog 2012-07-30 17:24:07 UTC (rev 124043)
@@ -1,3 +1,18 @@
+2012-07-30 Lucas Forschler <lforsch...@apple.com>
+
+ Merge 116647
+
+ 2012-05-09 Stephen Chenney <schen...@chromium.org>
+
+ SVG Filters allow invalid elements as children
+ https://bugs.webkit.org/show_bug.cgi?id=83979
+
+ Reviewed by Nikolas Zimmermann.
+
+ This test will crash upon load in Chromium, unless the associated fix is in.
+
+ * ManualTests/bugzilla-83979.svg: Added.
+
2012-05-31 Tim Horton <timothy_hor...@apple.com>
Add feature defines for web-facing parts of CSS Regions and Exclusions
Copied: branches/safari-536.26-branch/ManualTests/bugzilla-83979.svg (from rev 116647, trunk/ManualTests/bugzilla-83979.svg) (0 => 124043)
--- branches/safari-536.26-branch/ManualTests/bugzilla-83979.svg (rev 0)
+++ branches/safari-536.26-branch/ManualTests/bugzilla-83979.svg 2012-07-30 17:24:07 UTC (rev 124043)
@@ -0,0 +1,16 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+ <defs>
+ <filter id="ds2">
+ <feGaussianBlur id="blur" result="blur"/>
+ </filter>
+ </defs>
+ <text x="50" y="50">This test passes if it does not crash after load in Debug builds.</text>
+ <image id="image" xlink:href="" xmlns='http://www.w3.org/2000/svg'%3E%3Crect/%3E%3C/svg%3E" width="50" height="50" filter="url(#ds2)"/>
+<script><![CDATA[
+for (var i = 0; i < 10000; i++) {
+}
+document.getElementById("blur").appendChild(document.getElementById("image").cloneNode());
+for (var i = 0; i < 10000; i++) {
+}
+]]></script>
+</svg>
Modified: branches/safari-536.26-branch/Source/WebCore/ChangeLog (124042 => 124043)
--- branches/safari-536.26-branch/Source/WebCore/ChangeLog 2012-07-30 17:22:35 UTC (rev 124042)
+++ branches/safari-536.26-branch/Source/WebCore/ChangeLog 2012-07-30 17:24:07 UTC (rev 124043)
@@ -1,5 +1,34 @@
2012-07-30 Lucas Forschler <lforsch...@apple.com>
+ Merge 116647
+
+ 2012-05-10 Stephen Chenney <schen...@chromium.org>
+
+ SVG Filters allow invalid elements as children
+ https://bugs.webkit.org/show_bug.cgi?id=83979
+
+ Reviewed by Nikolas Zimmermann.
+
+ According to the SVG spec, there are numerous restrictions on the
+ content of nodes (that is, their children). Specific to this problem,
+ SVGFilter elements may only contain SVGFilterPrimitive elements, and
+ those may only contain animation related elements. This patch enforces
+ the restriction on filters in the render tree, thus preventing us from
+ having (for instance) content that is inside a filter yet filtered by
+ the filter.
+
+ Manual test: ManualTests/bugzilla-83979.svg
+
+ * svg/SVGFilterElement.cpp:
+ (WebCore::SVGFilterElement::childShouldCreateRenderer): Added to only allow renderers for fe* children
+ (WebCore):
+ * svg/SVGFilterElement.h:
+ (SVGFilterElement):
+ * svg/SVGFilterPrimitiveStandardAttributes.h: Do not allow any children at all for fe* elements.
+ (SVGFilterPrimitiveStandardAttributes):
+
+2012-07-30 Lucas Forschler <lforsch...@apple.com>
+
Merge 116642
2012-05-10 Keishi Hattori <kei...@webkit.org>
Modified: branches/safari-536.26-branch/Source/WebCore/svg/SVGFilterElement.cpp (124042 => 124043)
--- branches/safari-536.26-branch/Source/WebCore/svg/SVGFilterElement.cpp 2012-07-30 17:22:35 UTC (rev 124042)
+++ branches/safari-536.26-branch/Source/WebCore/svg/SVGFilterElement.cpp 2012-07-30 17:24:07 UTC (rev 124043)
@@ -27,6 +27,7 @@
#include "SVGFilterElement.h"
#include "Attr.h"
+#include "NodeRenderingContext.h"
#include "RenderSVGResourceFilter.h"
#include "SVGElementInstance.h"
#include "SVGFilterBuilder.h"
@@ -193,6 +194,45 @@
return new (arena) RenderSVGResourceFilter(this);
}
+bool SVGFilterElement::childShouldCreateRenderer(const NodeRenderingContext& childContext) const
+{
+ if (!childContext.node()->isSVGElement())
+ return false;
+
+ Element* element = static_cast<Element*>(childContext.node());
+
+ DEFINE_STATIC_LOCAL(HashSet<QualifiedName>, allowedChildElementTags, ());
+ if (allowedChildElementTags.isEmpty()) {
+ allowedChildElementTags.add(SVGNames::feBlendTag);
+ allowedChildElementTags.add(SVGNames::feColorMatrixTag);
+ allowedChildElementTags.add(SVGNames::feComponentTransferTag);
+ allowedChildElementTags.add(SVGNames::feCompositeTag);
+ allowedChildElementTags.add(SVGNames::feConvolveMatrixTag);
+ allowedChildElementTags.add(SVGNames::feDiffuseLightingTag);
+ allowedChildElementTags.add(SVGNames::feDisplacementMapTag);
+ allowedChildElementTags.add(SVGNames::feDistantLightTag);
+ allowedChildElementTags.add(SVGNames::feDropShadowTag);
+ allowedChildElementTags.add(SVGNames::feFloodTag);
+ allowedChildElementTags.add(SVGNames::feFuncATag);
+ allowedChildElementTags.add(SVGNames::feFuncBTag);
+ allowedChildElementTags.add(SVGNames::feFuncGTag);
+ allowedChildElementTags.add(SVGNames::feFuncRTag);
+ allowedChildElementTags.add(SVGNames::feGaussianBlurTag);
+ allowedChildElementTags.add(SVGNames::feImageTag);
+ allowedChildElementTags.add(SVGNames::feMergeTag);
+ allowedChildElementTags.add(SVGNames::feMergeNodeTag);
+ allowedChildElementTags.add(SVGNames::feMorphologyTag);
+ allowedChildElementTags.add(SVGNames::feOffsetTag);
+ allowedChildElementTags.add(SVGNames::fePointLightTag);
+ allowedChildElementTags.add(SVGNames::feSpecularLightingTag);
+ allowedChildElementTags.add(SVGNames::feSpotLightTag);
+ allowedChildElementTags.add(SVGNames::feTileTag);
+ allowedChildElementTags.add(SVGNames::feTurbulenceTag);
+ }
+
+ return allowedChildElementTags.contains<QualifiedName, SVGAttributeHashTranslator>(element->tagQName());
+}
+
bool SVGFilterElement::selfHasRelativeLengths() const
{
return x().isRelative()
Modified: branches/safari-536.26-branch/Source/WebCore/svg/SVGFilterElement.h (124042 => 124043)
--- branches/safari-536.26-branch/Source/WebCore/svg/SVGFilterElement.h 2012-07-30 17:22:35 UTC (rev 124042)
+++ branches/safari-536.26-branch/Source/WebCore/svg/SVGFilterElement.h 2012-07-30 17:24:07 UTC (rev 124043)
@@ -55,7 +55,8 @@
virtual void svgAttributeChanged(const QualifiedName&);
virtual void childrenChanged(bool changedByParser = false, Node* beforeChange = 0, Node* afterChange = 0, int childCountDelta = 0);
- virtual RenderObject* createRenderer(RenderArena*, RenderStyle*);
+ virtual RenderObject* createRenderer(RenderArena*, RenderStyle*) OVERRIDE;
+ virtual bool childShouldCreateRenderer(const NodeRenderingContext&) const OVERRIDE;
virtual bool selfHasRelativeLengths() const;
Modified: branches/safari-536.26-branch/Source/WebCore/svg/SVGFilterPrimitiveStandardAttributes.h (124042 => 124043)
--- branches/safari-536.26-branch/Source/WebCore/svg/SVGFilterPrimitiveStandardAttributes.h 2012-07-30 17:22:35 UTC (rev 124042)
+++ branches/safari-536.26-branch/Source/WebCore/svg/SVGFilterPrimitiveStandardAttributes.h 2012-07-30 17:24:07 UTC (rev 124043)
@@ -68,8 +68,9 @@
private:
virtual bool isFilterEffect() const { return true; }
- virtual RenderObject* createRenderer(RenderArena*, RenderStyle*);
- virtual bool rendererIsNeeded(const NodeRenderingContext&);
+ virtual RenderObject* createRenderer(RenderArena*, RenderStyle*) OVERRIDE;
+ virtual bool rendererIsNeeded(const NodeRenderingContext&) OVERRIDE;
+ virtual bool childShouldCreateRenderer(const NodeRenderingContext&) const OVERRIDE { return false; }
BEGIN_DECLARE_ANIMATED_PROPERTIES(SVGFilterPrimitiveStandardAttributes)
DECLARE_ANIMATED_LENGTH(X, x)
