[webkit-changes] [143859] trunk

Sat, 23 Feb 2013 22:33:11 -0800

Title: [143859] trunk
Revision
143859
Author
[email protected]
Date
2013-02-23 22:35:10 -0800 (Sat, 23 Feb 2013)

Log Message

Prevent crash in animated transform lists
https://bugs.webkit.org/show_bug.cgi?id=110704

Reviewed by Abhishek Arya.

Source/WebCore:

This change prevents accessing values off the end of toAtEndOfDuration by adding a check
for this case. Similar checks were added in r116458 but the author failed to catch this
case. WK110706 has been filed to handle this case in general.

This change also makes a trivial change that marks effectiveFrom as const.

Test: svg/animations/animateTransform-list-crash.html

* svg/SVGAnimatedTransformList.cpp:
(WebCore::SVGAnimatedTransformListAnimator::calculateAnimatedValue):

LayoutTests:

* svg/animations/animateTransform-list-crash-expected.txt: Added.
* svg/animations/animateTransform-list-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (143858 => 143859)


--- trunk/LayoutTests/ChangeLog	2013-02-24 06:18:41 UTC (rev 143858)
+++ trunk/LayoutTests/ChangeLog	2013-02-24 06:35:10 UTC (rev 143859)
@@ -1,3 +1,13 @@
+2013-02-23  Philip Rogers  <[email protected]>
+
+        Prevent crash in animated transform lists
+        https://bugs.webkit.org/show_bug.cgi?id=110704
+
+        Reviewed by Abhishek Arya.
+
+        * svg/animations/animateTransform-list-crash-expected.txt: Added.
+        * svg/animations/animateTransform-list-crash.html: Added.
+
 2013-02-23  Ryosuke Niwa  <[email protected]>
 
         Skip _javascript_DialogEvents.html since its result bleed into other tests non-deterministically per bug 110186.

Added: trunk/LayoutTests/svg/animations/animateTransform-list-crash-expected.txt (0 => 143859)


--- trunk/LayoutTests/svg/animations/animateTransform-list-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/svg/animations/animateTransform-list-crash-expected.txt	2013-02-24 06:35:10 UTC (rev 143859)
@@ -0,0 +1 @@
+Test for WK110704: This test passes if it does not crash.

Added: trunk/LayoutTests/svg/animations/animateTransform-list-crash.html (0 => 143859)


--- trunk/LayoutTests/svg/animations/animateTransform-list-crash.html	                        (rev 0)
+++ trunk/LayoutTests/svg/animations/animateTransform-list-crash.html	2013-02-24 06:35:10 UTC (rev 143859)
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<body>
+Test for WK110704: This test passes if it does not crash.
+<svg xmlns="http://www.w3.org/2000/svg">
+    <animateTransform accumulate="sum" attributeName="transform" dur="0.01s" repeatCount="indefinite" type="translate" values="1 2; 3 4; a">
+</svg>
+<script>
+if (window.testRunner) {
+    testRunner.waitUntilDone();
+    testRunner.dumpAsText();
+}
+
+setTimeout(function() {
+    if (window.testRunner)
+        testRunner.notifyDone();
+}, 0.02);
+</script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (143858 => 143859)


--- trunk/Source/WebCore/ChangeLog	2013-02-24 06:18:41 UTC (rev 143858)
+++ trunk/Source/WebCore/ChangeLog	2013-02-24 06:35:10 UTC (rev 143859)
@@ -1,3 +1,21 @@
+2013-02-23  Philip Rogers  <[email protected]>
+
+        Prevent crash in animated transform lists
+        https://bugs.webkit.org/show_bug.cgi?id=110704
+
+        Reviewed by Abhishek Arya.
+
+        This change prevents accessing values off the end of toAtEndOfDuration by adding a check
+        for this case. Similar checks were added in r116458 but the author failed to catch this
+        case. WK110706 has been filed to handle this case in general.
+
+        This change also makes a trivial change that marks effectiveFrom as const.
+
+        Test: svg/animations/animateTransform-list-crash.html
+
+        * svg/SVGAnimatedTransformList.cpp:
+        (WebCore::SVGAnimatedTransformListAnimator::calculateAnimatedValue):
+
 2013-02-23  Dimitri Glazkov  <[email protected]>
 
         SelectorChecker should not know about SelectorCheckerFastPath.

Modified: trunk/Source/WebCore/svg/SVGAnimatedTransformList.cpp (143858 => 143859)


--- trunk/Source/WebCore/svg/SVGAnimatedTransformList.cpp	2013-02-24 06:18:41 UTC (rev 143858)
+++ trunk/Source/WebCore/svg/SVGAnimatedTransformList.cpp	2013-02-24 06:35:10 UTC (rev 143859)
@@ -116,11 +116,12 @@
 
     unsigned fromTransformListSize = fromTransformList.size();
     const SVGTransform& toTransform = toTransformList[0];
-    SVGTransform effectiveFrom = fromTransformListSize ? fromTransformList[0] : SVGTransform(toTransform.type(), SVGTransform::ConstructZeroTransform);
+    const SVGTransform effectiveFrom = fromTransformListSize ? fromTransformList[0] : SVGTransform(toTransform.type(), SVGTransform::ConstructZeroTransform);
     SVGTransform currentTransform = SVGTransformDistance(effectiveFrom, toTransform).scaledDistance(percentage).addToSVGTransform(effectiveFrom);
-    if (m_animationElement->isAccumulated() && repeatCount)
-        animatedTransformList.append(SVGTransformDistance::addSVGTransforms(currentTransform, toAtEndOfDurationTransformList[0], repeatCount));
-    else
+    if (m_animationElement->isAccumulated() && repeatCount) {
+        const SVGTransform effectiveToAtEnd = toAtEndOfDurationTransformList.size() ? toAtEndOfDurationTransformList[0] : SVGTransform(toTransform.type(), SVGTransform::ConstructZeroTransform);
+        animatedTransformList.append(SVGTransformDistance::addSVGTransforms(currentTransform, effectiveToAtEnd, repeatCount));
+    } else
         animatedTransformList.append(currentTransform);
 }
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to