RESOLVED FIXED Bug 143903
SVGFitToViewBox::viewBoxToViewTransform() has to count for zero physical width and height before calling SVGPreserveAspectRatio::getCTM() 
https://bugs.webkit.org/show_bug.cgi?id=143903
Summary SVGFitToViewBox::viewBoxToViewTransform() has to count for zero physical widt...
Said Abou-Hallawa
Reported 2015-04-17 16:34:19 PDT
Created attachment 251068 [details] Test case (will crash on Mac) If SVGPreserveAspectRatio::getCTM() receives zero width or height, the returned transformation might have a=0, d=0 or e=f=NaN. This makes the transformation is non-invertible. CG path functions assert and might crash, if they encounter such transformation.
Attachments
Test case (will crash on Mac) (244 bytes, text/html)
2015-04-17 16:34 PDT, Said Abou-Hallawa 		no flags
Details
Patch (4.66 KB, patch)
2015-04-17 17:13 PDT, Said Abou-Hallawa 		no flags
DetailsFormatted DiffDiff
Patch (4.66 KB, patch)
2015-04-17 18:57 PDT, Said Abou-Hallawa 		no flags
DetailsFormatted DiffDiff
Patch (5.82 KB, patch)
2015-04-20 11:19 PDT, Said Abou-Hallawa 		no flags
DetailsFormatted DiffDiff
Patch (5.74 KB, patch)
2015-04-20 11:53 PDT, Said Abou-Hallawa 		no flags
DetailsFormatted DiffDiff
Patch (5.74 KB, patch)
2015-04-20 12:48 PDT, Said Abou-Hallawa 		no flags
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Said Abou-Hallawa
Comment 1 2015-04-17 17:13:54 PDT
Created attachment 251075 [details] Patch
Said Abou-Hallawa
Comment 2 2015-04-17 18:57:09 PDT
Created attachment 251078 [details] Patch
Said Abou-Hallawa
Comment 3 2015-04-20 11:19:36 PDT
Created attachment 251168 [details] Patch
Said Abou-Hallawa
Comment 4 2015-04-20 11:33:00 PDT
* If an SVG has the following root element: <svg viewBox="0 0 10000000000000000000000000000000000000 1" width="1" height="1"> where the width = 1e+38. The viewBoxToView transformation will still have an invertible matrix without this patch. The scaling will be 1e-38 which is a valid float value. * If we increase the width by making it 1e+39 like the following: <svg viewBox="0 0 100000000000000000000000000000000000000 1" width="1" height="1"> The viewBox will be all [0 0 0 0]. The reason is SVGFitToViewBox::parseViewBox() calls parseNumber() which calls genericParseNumber(). The later function bails out early if the number overflows. So this case is also fine without this patch. * If we explicitly say the width is zero like the following: <svg viewBox="0 0 100 1" width="0" height="1"> the viewBoxToView transform was not be invertible but the good thing is this SVG will be omitted from display because the width is zero. So without this patch, we were not going to crash even though the calculation was wrong. With this patch, the viewBoxToView transform will be the identity but this has no effect on the display since the SVG will not be displayed anyway.
Daniel Bates
Comment 5 2015-04-20 11:44:54 PDT
Comment on attachment 251168 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=251168&action=review > Source/WebCore/ChangeLog:3 > + SVGFitToViewBox::viewBoxToViewTransform() has to count for zero physical width and height before calling SVGPreserveAspectRatio::getCTM(). Minor: Remove the period at the end of this line to match the bug title. > Source/WebCore/ChangeLog:10 > + invertible matrix Missing period at the end of this sentence.
Said Abou-Hallawa
Comment 6 2015-04-20 11:53:44 PDT
Created attachment 251178 [details] Patch
WebKit Commit Bot
Comment 7 2015-04-20 12:43:44 PDT
Comment on attachment 251178 [details] Patch Rejecting attachment 251178 [details] from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.appspot.com', '--bot-id=webkit-cq-02', 'validate-changelog', '--check-oops', '--non-interactive', 251178, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit ChangeLog entry in LayoutTests/ChangeLog contains OOPS!. Full output: http://webkit-queues.appspot.com/results/5079594059169792
Said Abou-Hallawa
Comment 8 2015-04-20 12:48:35 PDT
Created attachment 251183 [details] Patch
WebKit Commit Bot
Comment 9 2015-04-20 13:44:20 PDT
Comment on attachment 251183 [details] Patch Clearing flags on attachment: 251183 Committed r183026: <http://trac.webkit.org/changeset/183026>
WebKit Commit Bot
Comment 10 2015-04-20 13:44:24 PDT
All reviewed patches have been landed. Closing bug.
Said Abou-Hallawa
Comment 11 2015-04-20 13:46:30 PDT
<rdar://problem/19005137>
Note You need to log in before you can comment on or make changes to this bug.