WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED INVALID
106432
[Qt] WebKit crashes in QPainterPath::elementAt()
https://bugs.webkit.org/show_bug.cgi?id=106432
Summary
[Qt] WebKit crashes in QPainterPath::elementAt()
Renata Hodovan
Reported
2013-01-09 02:39:19 PST
During SVG fuzzing I got a crash in QPainterPath::elementAt() function. The used test is attached. Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007fffe9608dfe in QPainterPath::elementAt(int) const () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5 (gdb) bt #0 0x00007fffe9608dfe in QPainterPath::elementAt(int) const () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5 #1 0x00007fffe961d674 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5 #2 0x00007fffe961e75c in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5 #3 0x00007fffe961ea69 in QPathClipper::intersect(QPainterPath const&, QRectF const&) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5 #4 0x00007fffe961fbb5 in QPathClipper::clip(QPathClipper::Operation) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5 #5 0x00007fffe960de6f in QPainterPath::intersected(QPainterPath const&) const () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5 #6 0x00007fffe95d3942 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5 #7 0x00007fffe95d29d8 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5 #8 0x00007fffe95d3d3b in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5 #9 0x00007fffe95ebfd8 in QRasterPaintEngine::fill(QVectorPath const&, QBrush const&) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5 #10 0x00007fffe9608142 in QPainter::fillPath(QPainterPath const&, QBrush const&) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5 #11 0x00007ffff48292dc in fillPathStroke (painter=0x7fffffffbce0, pathStroker=..., platformPath=..., brush=...) at /home/reni/WebKit-git/Source/WebCore/platform/graphics/qt/GraphicsContextQt.cpp:597 #12 0x00007ffff4829a0e in WebCore::GraphicsContext::strokePath (this=0x7fffffffba90, path=...) at /home/reni/WebKit-git/Source/WebCore/platform/graphics/qt/GraphicsContextQt.cpp:653 #13 0x00007ffff4994506 in WebCore::RenderSVGShape::strokeShape (this=0x9ab928, context=0x7fffffffba90) at /home/reni/WebKit-git/Source/WebCore/rendering/svg/RenderSVGShape.cpp:98 #14 0x00007ffff4991d87 in WebCore::RenderSVGPath::strokeShape (this=0x9ab928, context=0x7fffffffba90) at /home/reni/WebKit-git/Source/WebCore/rendering/svg/RenderSVGPath.cpp:85 #15 0x00007ffff49b932b in WebCore::RenderSVGResourceSolidColor::postApplyResource (this=0x6855d0, context=@0x7fffffffa188, resourceMode=4, path=0x0, shape=0x9ab928) at /home/reni/WebKit-git/Source/WebCore/rendering/svg/RenderSVGResourceSolidColor.cpp:105 #16 0x00007ffff4994ef3 in WebCore::RenderSVGShape::strokeShape (this=0x9ab928, style=0x724440, context=0x7fffffffba90) at /home/reni/WebKit-git/Source/WebCore/rendering/svg/RenderSVGShape.cpp:241 #17 0x00007ffff4995058 in WebCore::RenderSVGShape::fillAndStrokeShape (this=0x9ab928, context=0x7fffffffba90) at /home/reni/WebKit-git/Source/WebCore/rendering/svg/RenderSVGShape.cpp:268 ...
Attachments
Test
(333 bytes, image/svg+xml)
2013-01-09 02:41 PST
,
Renata Hodovan
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Renata Hodovan
Comment 1
2013-01-09 02:41:14 PST
Created
attachment 181883
[details]
Test
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug