Bug 12365 - Reproducible crash in WebCore::SVGPreserveAspectRatio::parsePreserveAspectRatio in svg/W3C-SVG-1.1/animate-elem-40-t.svg under guard malloc
Summary: Reproducible crash in WebCore::SVGPreserveAspectRatio::parsePreserveAspectRat...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: SVG (show other bugs)
Version: 420+
Hardware: Mac OS X 10.4
: P1 Major
Assignee: Darin Adler
URL: http://build.webkit.org/post-commit-p...
Keywords: LayoutTestFailure
: 11408 (view as bug list)
Depends on:
Blocks:
 
Reported: 2007-01-22 09:20 PST by David Kilzer (:ddkilzer)
Modified: 2007-06-24 12:04 PDT (History)
4 users (show)

See Also:

Attachments
fix for buffer overrun (7.19 KB, patch)
2007-01-23 09:44 PST, Darin Adler 		mjs: review-
Details | Formatted Diff | Diff
patch to fix buffer overrun, including a new test and change log (47.05 KB, patch)
2007-01-24 22:36 PST, Darin Adler 		mjs: review+
Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description David Kilzer (:ddkilzer) 2007-01-22 09:20:42 PST 
To reproduce:

./WebKitTools/Scripts/run-webkit-tests --debug --guard-malloc LayoutTests/svg/W3C-SVG-1.1/animate-elem-40-t.svg

Crashes with:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0xcb612000

Thread 0 Crashed:
0   com.apple.WebCore           0x010a6c49 WebCore::SVGPreserveAspectRatio::parsePreserveAspectRatio(WebCore::String con
st&) + 779 (SVGPreserveAspectRatio.cpp:151)
1   com.apple.WebCore           0x0108dacc WebCore::SVGImageElement::parseMappedAttribute(WebCore::MappedAttribute*) + 3
42 (SVGImageElement.cpp:74)
2   com.apple.WebCore           0x0123fc71 WebCore::StyledElement::attributeChanged(WebCore::Attribute*, bool) + 489 (St
yledElement.cpp:180)
3   com.apple.WebCore           0x010b06c0 WebCore::SVGStyledElement::attributeChanged(WebCore::Attribute*, bool) + 38 (
SVGStyledElement.cpp:226)
4   com.apple.WebCore           0x012450db WebCore::NamedAttrMap::addAttribute(WebCore::Attribute*) + 289 (NamedAttrMap.
cpp:289)
5   com.apple.WebCore           0x01248858 WebCore::Element::setAttribute(WebCore::QualifiedName const&, WebCore::String
Impl*, int&) + 368 (Element.cpp:397)
6   com.apple.WebCore           0x0124898a WebCore::Element::setAttributeNS(WebCore::String const&, WebCore::String cons
t&, WebCore::String const&, int&) + 202 (Element.cpp:807)
7   com.apple.WebCore           0x0102af5b WebCore::handleElementAttributes(WebCore::Element*, unsigned char const**, in
t, int&) + 431 (XMLTokenizer.cpp:625)
8   com.apple.WebCore           0x0102dff1 WebCore::XMLTokenizer::startElementNs(unsigned char const*, unsigned char con
st*, unsigned char const*, int, unsigned char const**, int, int, unsigned char const**) + 723 (XMLTokenizer.cpp:670)
9   com.apple.WebCore           0x0102e443 WebCore::startElementNsHandler(void*, unsigned char const*, unsigned char con
st*, unsigned char const*, int, unsigned char const**, int, int, unsigned char const**) + 95 (XMLTokenizer.cpp:985)
10  libxml2.2.dylib             0x9293dc9d xmlParseStartTag + 8465
11  libxml2.2.dylib             0x9291d69b xmlParseChunk + 1912
12  com.apple.WebCore           0x0102b15c WebCore::XMLTokenizer::write(WebCore::SegmentedString const&, bool) + 314 (XM
LTokenizer.cpp:570)
13  com.apple.WebCore           0x013b61d1 WebCore::FrameLoader::write(char const*, int, bool) + 923 (FrameLoader.cpp:88
2)
14  com.apple.WebCore           0x013b6303 WebCore::FrameLoader::addData(char const*, int) + 275 (FrameLoader.cpp:1498)
15  com.apple.WebCore           0x010fbe7b -[WebCoreFrameBridge addData:] + 163 (WebCoreFrameBridge.mm:295)
16  com.apple.WebCore           0x010ff43a -[WebCoreFrameBridge receivedData:textEncodingName:] + 250 (WebCoreFrameBridg
e.mm:1584)
17  com.apple.WebKit            0x00232441 -[WebHTMLRepresentation receivedData:withDataSource:] + 199 (WebHTMLRepresent
ation.mm:174)
18  com.apple.WebKit            0x0022dbdb -[WebDataSource(WebInternal) _receivedData:] + 89 (WebDataSource.mm:178)
19  com.apple.WebKit            0x00294495 WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, in
t) + 127 (WebFrameLoaderClient.mm:644)
20  com.apple.WebCore           0x013b2d7b WebCore::FrameLoader::committedLoad(WebCore::DocumentLoader*, char const*, in
t) + 53 (FrameLoader.cpp:2924)
21  com.apple.WebCore           0x013c2df9 WebCore::DocumentLoader::commitLoad(char const*, int) + 87 (DocumentLoader.cp
p:327)
22  com.apple.WebCore           0x013c2e52 WebCore::DocumentLoader::receivedData(char const*, int) + 76 (DocumentLoader.
cpp:340)
23  com.apple.WebCore           0x013b21f7 WebCore::FrameLoader::receivedData(char const*, int) + 41 (FrameLoader.cpp:18
89)
24  com.apple.WebCore           0x013c403c WebCore::MainResourceLoader::addData(char const*, int, bool) + 80 (MainResour
ceLoader.cpp:135)
25  com.apple.WebCore           0x013c5f01 WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) + 
83
26  com.apple.WebCore           0x013c4371 WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool
) + 281 (MainResourceLoader.cpp:304)
27  com.apple.WebCore           0x013c5b68 WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*
, int, int) + 58
28  com.apple.WebCore           0x013a5aaa -[WebCoreResourceHandleAsDelegate connection:didReceiveData:lengthReceived:] 
+ 172 (ResourceHandleMac.mm:350)
29  com.apple.Foundation        0x9265eb86 -[NSURLConnection(NSURLConnectionInternal) _sendDidReceiveDataCallback] + 641
30  com.apple.Foundation        0x9265ce67 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 686
31  com.apple.Foundation        0x9265cb41 _sendCallbacks + 201
32  com.apple.CoreFoundation    0x9082afd2 CFRunLoopRunSpecific + 1213
33  com.apple.CoreFoundation    0x9082ab0e CFRunLoopRunInMode + 61
34  com.apple.Foundation        0x9262ddc6 -[NSRunLoop runMode:beforeDate:] + 182
35  DumpRenderTree              0x00008ed6 runTest + 943 (DumpRenderTree.m:1042)
36  DumpRenderTree              0x000060f9 dumpRenderTree + 3355 (DumpRenderTree.m:399)
37  DumpRenderTree              0x00006318 main + 70 (DumpRenderTree.m:450)
38  DumpRenderTree              0x00002102 _start + 216
39  DumpRenderTree              0x00002029 start + 41
Comment 1 mitz 2007-01-22 09:32:36 PST 
See also the original description of bug 11108 and bug 11408.
Comment 2 David Kilzer (:ddkilzer) 2007-01-22 09:40:18 PST 
*** Bug 11408 has been marked as a duplicate of this bug. ***
Comment 3 Darin Adler 2007-01-22 10:05:01 PST 
There are some cases in the function that clearly don't check the end of buffer. Mainly cases where skipOptionalSpaces is called, but its return value is ignored. However, I can't tell from reading the code which of the letters are allowed to be combined, so I'm not posting a patch.

The four cases that are currently wrong are

    'n' or 'x' after a 'd'
    'm' or 's' after a 'd' or 'n' or 'x'
Comment 4 David Kilzer (:ddkilzer) 2007-01-22 15:10:59 PST 
Eric or Rob, please comment on Comment #3.
Comment 5 Eric Seidel (no email) 2007-01-22 15:56:02 PST 
These are the preserveAspectRatio parsing rules:
http://www.w3.org/TR/SVG/coords.html#PreserveAspectRatioAttribute

Ideally we would have a less error-prone way of parsing than the current copy/paste comparisons.
Comment 6 Eric Seidel (no email) 2007-01-22 16:05:55 PST 
I think this parser could just be simplified to use checkString calls at the top level ifs, or at least add a checkChar(currentPtr, end, deferDesc, 0) or similar. which checks the first char, as well as checks to make sure ptr < end.  Something along those lines to make the parser easier to read/code w/o error.

Also, to answer Darin's question, only the middle if section is required for the string to be valid.  both "defer" and "meet-or-slice" are optional.
Comment 7 Darin Adler 2007-01-23 09:44:32 PST 
Created attachment 12628 [details]
fix for buffer overrun
Comment 8 Maciej Stachowiak 2007-01-23 15:13:37 PST 
Someone should make test cases for Darin's untested fixes in this bug.
Comment 9 Maciej Stachowiak 2007-01-24 19:25:59 PST 
Comment on attachment 12628 [details]
fix for buffer overrun

r- for missing tests to get this out of the review queue.
Comment 10 Darin Adler 2007-01-24 22:36:14 PST 
Created attachment 12661 [details]
patch to fix buffer overrun, including a new test and change log
Comment 11 Maciej Stachowiak 2007-01-25 02:38:57 PST 
Comment on attachment 12661 [details]
patch to fix buffer overrun, including a new test and change log

r=me
Comment 12 David Kilzer (:ddkilzer) 2007-06-24 12:04:46 PDT 
Mass removal of NeedsRadar keyword from my bugs that have already been RESOLVED.