Bug 20457

Summary:

Canvas: createPattern crashes WebKit with a 1D pattern

Product:

WebKit

Reporter:

Dirk Schulze <krit>

Component:

DOM

Assignee:

Anders Carlsson <andersca>

Status:

RESOLVED FIXED

Severity:

Normal

Keywords:

HasReduction, InRadar

Priority:

Version:

528+ (Nightly build)

Hardware:

OS:

OS X 10.5

URL:

http://philip.html5.org/tests/canvas/suite/tests/2d.pattern.basic.zerocanvas.html

Attachments:

Description	Flags
Patch	mjs: review+

Description Dirk Schulze 2008-08-20 06:01:50 PDT

If you create a 1 dimensional (width==0 || height==0) Pattern in Canvas, WebKit will crash.

Comment 1 Alexey Proskuryakov 2008-08-20 06:33:06 PDT

Reproducible crash -> P1.

Thread 0 Crashed:
0   com.apple.WebCore             	0x0322d99d WTF::RefPtr<WebCore::Image>::operator!() const + 9 (RefPtr.h:63)
1   com.apple.WebCore             	0x034aaa81 WebCore::ImageBuffer::image() const + 27 (ImageBufferCG.cpp:99)
2   com.apple.WebCore             	0x032340f7 WebCore::CanvasRenderingContext2D::createPattern(WebCore::HTMLCanvasElement*, WebCore::String const&, int&) + 135 (CanvasRenderingContext2D.cpp:1154)
3   com.apple.WebCore             	0x034f431d WebCore::JSCanvasRenderingContext2D::createPattern(KJS::ExecState*, KJS::ArgList const&) + 545 (JSCanvasRenderingContext2DCustom.cpp:328)
4   com.apple.WebCore             	0x034eff04 WebCore::jsCanvasRenderingContext2DPrototypeFunctionCreatePattern(KJS::ExecState*, KJS::JSObject*, KJS::JSValue*, KJS::ArgList const&) + 96 (JSCanvasRenderingContext2D.cpp:780)

Comment 2 Mark Rowe (bdash) 2008-08-20 15:07:44 PDT

<rdar://problem/6163988>

Comment 3 Anders Carlsson 2008-09-15 02:47:53 PDT

Created attachment 23434 [details]
Patch

Comment 4 Maciej Stachowiak 2008-09-15 02:49:24 PDT

Comment on attachment 23434 [details]
Patch

r=me

Comment 5 Anders Carlsson 2008-09-15 04:36:15 PDT

Committed revision 36442.