Bug 38684 - Incorrect RenderPath object size when large coordinate values encountered
Summary: Incorrect RenderPath object size when large coordinate values encountered
Status: RESOLVED INVALID
Alias: None
Product: WebKit
Classification: Unclassified
Component: SVG (show other bugs)
Version: 528+ (Nightly build)
Hardware: All OS X 10.5
: P2 Normal
Assignee: Nobody
URL:
Keywords:
: 38680 (view as bug list)
Depends on:
Blocks: CVE-2011-0147
  Show dependency treegraph
 
Reported: 2010-05-06 13:32 PDT by W. James MacLean
Modified: 2016-10-12 05:43 PDT (History)
3 users (show)

See Also:

Attachments
SVG File with large coordinate values (289 bytes, image/svg+xml)
2010-05-06 13:33 PDT, W. James MacLean 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description W. James MacLean 2010-05-06 13:32:05 PDT 
Steps to Reproduce:

Render the attached SVG file (mask-excessive-malloc.svg, from the existing layout tests directory)

Actual output: dumping the render tree gives

layer at (0,0) size 800x600
  RenderView at (0,0) size 800x600
layer at (0,0) size 800x600
  RenderSVGRoot {svg} at (0,0) size 800x600
    RenderSVGResourceMasker {mask} [id="mask"] [maskUnits=objectBoundingBox] [maskContentUnits=userSpaceOnUse]
      RenderPath {rect} at (0,0) size 0x0 [fill={[type=SOLID] [color=#FFFFFF]}] [data="M0.00,0.00 L2147483648.00,0.00 L2147483648.00,2147483648.00 L0.00,2147483648.00 Z"]
    RenderPath {path} at (200,200) size 100x200 [fill={[type=SOLID] [color=#0000FF]}] [data="M200.00,200.00 L300.00,200.00 L300.00,400.00 L200.00,400.00 Z"]
      [masker="mask"] RenderSVGResourceMasker {mask} at (190,180) size 214748364800.00x429496729600.00

Expected output: the render tree should look like (note size of first RenderPath object):


layer at (0,0) size 800x600
  RenderView at (0,0) size 800x600
layer at (0,0) size 800x600
  RenderSVGRoot {svg} at (0,0) size 800x600
    RenderSVGResourceMasker {mask} [id="mask"] [maskUnits=objectBoundingBox] [maskContentUnits=userSpaceOnUse]
      RenderPath {rect} at (0,0) size 800x600 [fill={[type=SOLID] [color=#FFFFFF]}] [data="M0.00,0.00 L2147483648.00,0.00 L2147483648.00,2147483648.00 L0.00,2147483648.00 Z"]
    RenderPath {path} at (200,200) size 100x200 [fill={[type=SOLID] [color=#0000FF]}] [data="M200.00,200.00 L300.00,200.00 L300.00,400.00 L200.00,400.00 Z"]
      [masker="mask"] RenderSVGResourceMasker {mas

Chromium 5.0.395.0 (46220)

Additional information:

The underlying cause appears to be an unsafe float-> int conversion in FloatRect::enclosingIntRect, where static_cast<int> is used on a float outside the range representable by int.
Comment 1 W. James MacLean 2010-05-06 13:33:16 PDT 
Created attachment 55290 [details]
SVG File with large coordinate values
Comment 2 Alexey Proskuryakov 2010-05-07 15:15:34 PDT 
*** Bug 38680 has been marked as a duplicate of this bug. ***
Comment 3 Alexey Proskuryakov 2010-05-07 15:16:18 PDT 
An explanation of why this is wrong from duplicate:

If you modify mask-excessive-malloc.svg so the rect has dimensions in the range
of int, and dump the results render tree, you will find the size of the
RenderPath (line 6) is 800x600, not 0x0. I.e. it clips to the size of the view
port. If you fix the float -> int conversions so that values greater than the
max int 2147483647 are clipped to 2147483647 (which is one reasonable
approach), then the size will be computed as 800x600. The 0x0 size seems to
occur when very large positive floats get erroneously converted to -2147483648,
which gets clipped to 0 for lengths such as height and width.
Comment 4 Nikolas Zimmermann 2010-07-09 07:25:31 PDT 
Changed component to SVG, so it shows up in my all-svg-bugs search.
Comment 5 Dirk Schulze 2016-10-12 05:43:45 PDT 
We changed that a long time ago and this particular test passes and we actually do have a test for it in the repo.

However, there might be still problems with huge values. Instead you should use viewBox, transform or similar ways to upscale.