We should do fuzz-testing of SVG parsers to make sure we've adressed possible overflow bugs. Maybe also more code review. This applies to at least the following parsers: - paths - SVGTransformable::parseTransformAttribute - SVGLengthList::parse - SVGNumberList::parse - SVGStringList::parse - SVGPreserveAspectRatio::parsePreserveAspectRatio - SVGColor.cpp parseNumberOrPercent - SVGColor::colorFromRGBColorString - SVGFitToViewBox::parseViewBox - SVGLength::setValueAsString - SVGParserUtilities.cpp parseNumber - SVGParserUtilities.cpp parseNumberOptionalNumber - SVGPolyParser::parsePoints - SVGPathParser::parseSVG - CSSParser::parseSVGStrokeDasharray - CSSParser::parseSVGPaint - CSSParser::parseSVGColor - CSSParser::parseSVGValue Parsers that are only in relevant to experimental features (so testing them isn't a P1): - SVGAnimationElement::parseKeyNumbers - SVGAnimationElement parseValues, parseKeySplines - SVGAnimationElement::parseBeginOrEndValue - SVGAnimationElement::parseClockValue - SVGAnimateMotionElement.cpp parsePoint static function
<rdar://problem/5021699>
Geoff took care of this and closed the Radar bug on 3/21.