Bug 135040

Summary: inserting an SVGLength that is already in an SVGAnimatedLengthList::animVal into another list causes a crash
Product: WebKit Reporter: Cameron McCormack (:heycam) <heycam>
Component: SVGAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: darin, krit, sabouhallawa, zimmermann, zoltan
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
URL: http://mcc.id.au/temp/list4.html
Attachments:
Description Flags
local copy of test case none

Cameron McCormack (:heycam)
Reported 2014-07-17 23:11:24 PDT
STR: 1. Load the URL. 2. Crash. Attempting to insert an SVGLength that came from an SVGAnimatedLengthList's animVal into another SVGLengthList will cause a crash. I haven't looked to see if the crash is serious. Tested with Safari 7.0.5 (9537.77.4).
Attachments
local copy of test case (1.28 KB, text/html)
2014-07-19 23:31 PDT, Darin Adler 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Darin Adler
Comment 1 2014-07-19 22:32:54 PDT
This crash is a null dereference; I doubt there is any security implication, and I suspect this is mis-categorized as a security bug. The bug seems to be in code in SVGListPropertyTearOff::processIncomingListItemWrapper, which calls SVGAnimatedListPropertyTearOff::findItem, which can’t handle an m_baseVal of nullptr. If I knew this code better, I might suggest fixing this by calling baseVal() inside findItem and in removeItemFromList rather than accessing m_baseVal directly.
Dirk Schulze
Comment 2 2014-07-19 23:23:34 PDT
(In reply to comment #1) > This crash is a null dereference; I doubt there is any security implication, and I suspect this is mis-categorized as a security bug. > > The bug seems to be in code in SVGListPropertyTearOff::processIncomingListItemWrapper, which calls SVGAnimatedListPropertyTearOff::findItem, which can’t handle an m_baseVal of nullptr. If I knew this code better, I might suggest fixing this by calling baseVal() inside findItem and in removeItemFromList rather than accessing m_baseVal directly. I asked Cameron to open it as security bug since I couldn't test it myself yet. If you have evidence that it is a normal crash, please re-categorize it.
Darin Adler
Comment 3 2014-07-19 23:30:21 PDT
OK, done.
Darin Adler
Comment 4 2014-07-19 23:31:03 PDT
Created attachment 235179 [details] local copy of test case
Darin Adler
Comment 5 2014-07-19 23:31:29 PDT
Crashes after trying to access a data member of m_baseVal, which is nullptr.
Zoltan Horvath
Comment 6 2014-12-09 16:00:17 PST
Blink doesn't have the issue, probably because of some refactoring on this code. Merge candidate tracked in: https://bugs.webkit.org/show_bug.cgi?id=125888
Said Abou-Hallawa
Comment 7 2019-05-06 12:40:15 PDT
After https://bugs.webkit.org/show_bug.cgi?id=191237 is fixed and when opening the attached test case in WebKit, I get the following output: appending an SVG item that is in an animVal list of another element: - animVal list item remained the same object - an item was appended - the appended item was a copy of the animVal list item This is complies with SVG 2 specs: https://www.w3.org/TR/SVG2/types.html#__svg__SVGNameList__appendItem. Also this is the behavior of FireFox. *** This bug has been marked as a duplicate of bug 191237 ***
Note You need to log in before you can comment on or make changes to this bug.