[webkit-changes] [183026] trunk

[commit-queue]

Title: [183026] trunk

Revision

183026

Author

commit-qu...@webkit.org

Date

2015-04-20 13:43:13 -0700 (Mon, 20 Apr 2015)

Log Message

SVGFitToViewBox::viewBoxToViewTransform() has to count for zero physical width and height before calling SVGPreserveAspectRatio::getCTM()
https://bugs.webkit.org/show_bug.cgi?id=143903

Patch by Said Abou-Hallawa <sabouhall...@apple.com> on 2015-04-20
Reviewed by Daniel Bates.

Source/WebCore:

Ensure that the SVG viewBoxToView transformation is always invertible.
CG path drawing functions crash if the context is transformed to non-
invertible matrix.

Tests: svg/css/crash-path-zero-height-viewbox.svg
       svg/css/crash-path-zero-width-viewbox.svg

* svg/SVGFitToViewBox.cpp:
(WebCore::SVGFitToViewBox::viewBoxToViewTransform):
Do not call SVGPreserveAspectRatio::getCTM() if the physical width or the
physical height is zero.

* svg/SVGPreserveAspectRatio.cpp:
(WebCore::SVGPreserveAspectRatio::getCTM):
Ensure that we are not dividing by zero in this function.

LayoutTests:

* svg/css/crash-path-zero-height-viewbox-expected.txt: Added.
* svg/css/crash-path-zero-height-viewbox.svg: Added.
* svg/css/crash-path-zero-width-viewbox-expected.txt: Added.
* svg/css/crash-path-zero-width-viewbox.svg: Added.
Make sure if the physical width or the physical height of an SVG is zero
and a viewBox is specified, we do not crash.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/svg/SVGFitToViewBox.cpp
• trunk/Source/WebCore/svg/SVGPreserveAspectRatio.cpp

Added Paths

• trunk/LayoutTests/svg/css/crash-path-zero-height-viewbox-expected.txt
• trunk/LayoutTests/svg/css/crash-path-zero-height-viewbox.svg
• trunk/LayoutTests/svg/css/crash-path-zero-width-viewbox-expected.txt
• trunk/LayoutTests/svg/css/crash-path-zero-width-viewbox.svg

Diff

Modified: trunk/LayoutTests/ChangeLog (183025 => 183026)

--- trunk/LayoutTests/ChangeLog	2015-04-20 20:25:56 UTC (rev 183025)
+++ trunk/LayoutTests/ChangeLog	2015-04-20 20:43:13 UTC (rev 183026)
@@ -1,3 +1,17 @@
+2015-04-20  Said Abou-Hallawa  <sabouhall...@apple.com>
+
+        SVGFitToViewBox::viewBoxToViewTransform() has to count for zero physical width and height before calling SVGPreserveAspectRatio::getCTM()
+        https://bugs.webkit.org/show_bug.cgi?id=143903
+
+        Reviewed by Daniel Bates.
+
+        * svg/css/crash-path-zero-height-viewbox-expected.txt: Added.
+        * svg/css/crash-path-zero-height-viewbox.svg: Added.
+        * svg/css/crash-path-zero-width-viewbox-expected.txt: Added.
+        * svg/css/crash-path-zero-width-viewbox.svg: Added.
+        Make sure if the physical width or the physical height of an SVG is zero
+        and a viewBox is specified, we do not crash.
+
 2015-04-20  Joseph Pecoraro  <pecor...@apple.com>
 
         Web Inspector: Improve Support for WeakSet in Console

Added: trunk/LayoutTests/svg/css/crash-path-zero-height-viewbox-expected.txt (0 => 183026)

--- trunk/LayoutTests/svg/css/crash-path-zero-height-viewbox-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/svg/css/crash-path-zero-height-viewbox-expected.txt	2015-04-20 20:43:13 UTC (rev 183026)
@@ -0,0 +1 @@
+PASS

Added: trunk/LayoutTests/svg/css/crash-path-zero-height-viewbox.svg (0 => 183026)

--- trunk/LayoutTests/svg/css/crash-path-zero-height-viewbox.svg	                        (rev 0)
+++ trunk/LayoutTests/svg/css/crash-path-zero-height-viewbox.svg	2015-04-20 20:43:13 UTC (rev 183026)
@@ -0,0 +1,14 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 500 500" width="500" height="500">
+  <style>
+    svg {
+      padding-top: 1000%;
+      box-sizing: border-box;
+    }
+  </style>
+  <script>
+    if (window.testRunner)
+      testRunner.dumpAsText();
+  </script>
+  <polyline points="1 1,2 2"></polyline>
+  <text x="0" y="0">PASS</text>
+</svg>

Added: trunk/LayoutTests/svg/css/crash-path-zero-width-viewbox-expected.txt (0 => 183026)

--- trunk/LayoutTests/svg/css/crash-path-zero-width-viewbox-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/svg/css/crash-path-zero-width-viewbox-expected.txt	2015-04-20 20:43:13 UTC (rev 183026)
@@ -0,0 +1 @@
+PASS

Added: trunk/LayoutTests/svg/css/crash-path-zero-width-viewbox.svg (0 => 183026)

--- trunk/LayoutTests/svg/css/crash-path-zero-width-viewbox.svg	                        (rev 0)
+++ trunk/LayoutTests/svg/css/crash-path-zero-width-viewbox.svg	2015-04-20 20:43:13 UTC (rev 183026)
@@ -0,0 +1,14 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 500 500" width="500" height="500">
+  <style>
+    svg {
+      padding-left: 1000%;
+      box-sizing: border-box;
+    }
+  </style>
+  <script>
+    if (window.testRunner)
+      testRunner.dumpAsText();
+  </script>
+  <polyline points="1 1,2 2"></polyline>
+  <text x="0" y="0">PASS</text>
+</svg>

Modified: trunk/Source/WebCore/ChangeLog (183025 => 183026)

--- trunk/Source/WebCore/ChangeLog	2015-04-20 20:25:56 UTC (rev 183025)
+++ trunk/Source/WebCore/ChangeLog	2015-04-20 20:43:13 UTC (rev 183026)
@@ -1,3 +1,26 @@
+2015-04-20  Said Abou-Hallawa  <sabouhall...@apple.com>
+
+        SVGFitToViewBox::viewBoxToViewTransform() has to count for zero physical width and height before calling SVGPreserveAspectRatio::getCTM()
+        https://bugs.webkit.org/show_bug.cgi?id=143903
+
+        Reviewed by Daniel Bates.
+
+        Ensure that the SVG viewBoxToView transformation is always invertible.
+        CG path drawing functions crash if the context is transformed to non-
+        invertible matrix.
+
+        Tests: svg/css/crash-path-zero-height-viewbox.svg
+               svg/css/crash-path-zero-width-viewbox.svg
+
+        * svg/SVGFitToViewBox.cpp:
+        (WebCore::SVGFitToViewBox::viewBoxToViewTransform):
+        Do not call SVGPreserveAspectRatio::getCTM() if the physical width or the
+        physical height is zero.
+
+        * svg/SVGPreserveAspectRatio.cpp:
+        (WebCore::SVGPreserveAspectRatio::getCTM):
+        Ensure that we are not dividing by zero in this function.
+
 2015-04-20  Chris Dumez  <cdu...@apple.com>
 
         CSSParser::parseValue() copies the m_parsedProperties vector at addParsedProperties()

Modified: trunk/Source/WebCore/svg/SVGFitToViewBox.cpp (183025 => 183026)

--- trunk/Source/WebCore/svg/SVGFitToViewBox.cpp	2015-04-20 20:25:56 UTC (rev 183025)
+++ trunk/Source/WebCore/svg/SVGFitToViewBox.cpp	2015-04-20 20:43:13 UTC (rev 183026)
@@ -79,7 +79,7 @@
 
 AffineTransform SVGFitToViewBox::viewBoxToViewTransform(const FloatRect& viewBoxRect, const SVGPreserveAspectRatio& preserveAspectRatio, float viewWidth, float viewHeight)
 {
-    if (!viewBoxRect.width() || !viewBoxRect.height())
+    if (!viewBoxRect.width() || !viewBoxRect.height() || !viewWidth || !viewHeight)
         return AffineTransform();
 
     return preserveAspectRatio.getCTM(viewBoxRect.x(), viewBoxRect.y(), viewBoxRect.width(), viewBoxRect.height(), viewWidth, viewHeight);

Modified: trunk/Source/WebCore/svg/SVGPreserveAspectRatio.cpp (183025 => 183026)

--- trunk/Source/WebCore/svg/SVGPreserveAspectRatio.cpp	2015-04-20 20:25:56 UTC (rev 183025)
+++ trunk/Source/WebCore/svg/SVGPreserveAspectRatio.cpp	2015-04-20 20:43:13 UTC (rev 183026)
@@ -275,6 +275,11 @@
 AffineTransform SVGPreserveAspectRatio::getCTM(float logicalX, float logicalY, float logicalWidth, float logicalHeight, float physicalWidth, float physicalHeight) const
 {
     AffineTransform transform;
+    if (!logicalWidth || !logicalHeight || !physicalWidth || !physicalHeight) {
+        ASSERT_NOT_REACHED();
+        return transform;
+    }
+
     if (m_align == SVG_PRESERVEASPECTRATIO_UNKNOWN)
         return transform;
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes