82375 – Null dereference in SVGTextElement::animatedLocalTransform()

Bug 82375 - Null dereference in SVGTextElement::animatedLocalTransform()

Summary: Null dereference in SVGTextElement::animatedLocalTransform()

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	SVG (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Stephen Chenney

URL:
Keywords:

Duplicates (1):	81992 (view as bug list)
Depends on:
Blocks:

Reported:	2012-03-27 13:39 PDT by Stephen Chenney
Modified:	2012-03-28 13:40 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Repro case, crashes (388 bytes, text/html) 2012-03-27 13:39 PDT, Stephen Chenney	no flags	Details
Patch (3.69 KB, patch) 2012-03-27 13:50 PDT, Stephen Chenney	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stephen Chenney 2012-03-27 13:39:55 PDT

Created attachment 134125 [details]
Repro case, crashes

When a malformed SVG document puts a text element inside an animation element, like this

<html>
  <head>
    <script type="application/javascript">
      function test() {
        document.getElementById("crash").getTransformToElement();
      }
    </script>
  </head>
  <body>
    <svg xmlns="http://www.w3.org/2000/svg" version="1.1" onload="test()">
      <animateTransform >
        <text id="crash">
        </text>
      </animateTransform>
    </svg>
  </body>
</html>

there is a crash because the text element does not have a renderer (it is an orphan, it seems, because animateTransform elements do not have rendered children) and this causes a crash when getCTM calls SVGTextElement::animatedLocalTransform().

Comment 1 Stephen Chenney 2012-03-27 13:50:12 PDT

Created attachment 134128 [details]
Patch

Comment 2 Nikolas Zimmermann 2012-03-28 05:15:31 PDT

Comment on attachment 134128 [details]
Patch

r=me.

Comment 3 WebKit Review Bot 2012-03-28 07:28:21 PDT

Comment on attachment 134128 [details]
Patch

Clearing flags on attachment: 134128

Committed r112394: <http://trac.webkit.org/changeset/112394>

Comment 4 WebKit Review Bot 2012-03-28 07:28:25 PDT

All reviewed patches have been landed.  Closing bug.

Comment 5 Stephen Chenney 2012-03-28 10:09:50 PDT

Just FYI, I checked the other implementations of animatedLocalTransform(). There is only one, in SVGStyledTransformableElement, and it already had the exact check I added.

Maybe in the future we should require that changes to implementations of a method check for all other implementations to see if they need the same fix. We can just raise the issue in reviews.

Comment 6 Stephen Chenney 2012-03-28 13:40:45 PDT

*** Bug 81992 has been marked as a duplicate of this bug. ***