Bug 30313

Summary: NULL ptr in SVGPathSegList::getPathSegAtLength()
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: SVGAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: aroben, eric, oliver, webkit.review.bot
Priority: P1 Keywords: GoogleBug, HasReduction, InRadar
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows Vista   
URL: http://skypher.com/SkyLined/Repro/WebKit/Bug%2030313%20-%20NULL%20ptr%20in%20SVGPathSegList..getPathSegAtLength()/repro.html
Attachments:
Description Flags
Patch mjs: review+

Berend-Jan Wever
Reported 2009-10-12 14:20:25 PDT
Repro: <SCRIPT> SVGPathElement = document.createElementNS("http://www.w3.org/2000/svg", "path"); SVGPathElement.pathSegList.initialize(); SVGPathElement.getPathSegAtLength(2699076708.473027); </SCRIPT> In the below code, "getItem(i, ec).get();" returns NULL, which is not handled properly, so "segment->pathSegType()" gets called and a NULL ptr read exception is thrown. unsigned SVGPathSegList::getPathSegAtLength(double) { // FIXME : to be useful this will need to support non-normalized SVGPathSegLists ExceptionCode ec = 0; int len = numberOfItems(); // FIXME: Eventually this will likely move to a "path applier"-like model, until then PathTraversalState is less useful as we could just use locals PathTraversalState traversalState(PathTraversalState::TraversalSegmentAtLength); for (int i = 0; i < len; ++i) { SVGPathSeg* segment = getItem(i, ec).get(); float segmentLength = 0; switch (segment->pathSegType()) { <snip>
Attachments
Patch (11.45 KB, patch)
2009-12-03 01:03 PST, Oliver Hunt 		mjs: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2009-10-12 18:51:46 PDT
<rdar://problem/7297519>
Oliver Hunt
Comment 2 2009-12-03 01:03:27 PST
Created attachment 44213 [details] Patch
WebKit Review Bot
Comment 3 2009-12-03 01:08:15 PST
style-queue ran check-webkit-style on attachment 44213 [details] without any errors.
Maciej Stachowiak
Comment 4 2009-12-03 01:15:34 PST
Comment on attachment 44213 [details] Patch r=me
Oliver Hunt
Comment 5 2009-12-03 01:22:56 PST
Committed r51627
Adam Roben (:aroben)
Comment 6 2009-12-03 07:36:04 PST
This caused bug 32117.
Alexey Proskuryakov
Comment 7 2009-12-03 11:34:33 PST
Looks like this should be marked as resolved. Please reopen and explain if it shouldn't.
Note You need to log in before you can comment on or make changes to this bug.