RESOLVED FIXED Bug 82375
Null dereference in SVGTextElement::animatedLocalTransform() 
https://bugs.webkit.org/show_bug.cgi?id=82375
Summary Null dereference in SVGTextElement::animatedLocalTransform()
Stephen Chenney
Reported 2012-03-27 13:39:55 PDT
Created attachment 134125 [details] Repro case, crashes When a malformed SVG document puts a text element inside an animation element, like this <html> <head> <script type="application/javascript"> function test() { document.getElementById("crash").getTransformToElement(); } </script> </head> <body> <svg xmlns="http://www.w3.org/2000/svg" version="1.1" onload="test()"> <animateTransform > <text id="crash"> </text> </animateTransform> </svg> </body> </html> there is a crash because the text element does not have a renderer (it is an orphan, it seems, because animateTransform elements do not have rendered children) and this causes a crash when getCTM calls SVGTextElement::animatedLocalTransform().
Attachments
Repro case, crashes (388 bytes, text/html)
2012-03-27 13:39 PDT, Stephen Chenney 		no flags
Details
Patch (3.69 KB, patch)
2012-03-27 13:50 PDT, Stephen Chenney 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Stephen Chenney
Comment 1 2012-03-27 13:50:12 PDT
Created attachment 134128 [details] Patch
Nikolas Zimmermann
Comment 2 2012-03-28 05:15:31 PDT
Comment on attachment 134128 [details] Patch r=me.
WebKit Review Bot
Comment 3 2012-03-28 07:28:21 PDT
Comment on attachment 134128 [details] Patch Clearing flags on attachment: 134128 Committed r112394: <http://trac.webkit.org/changeset/112394>
WebKit Review Bot
Comment 4 2012-03-28 07:28:25 PDT
All reviewed patches have been landed. Closing bug.
Stephen Chenney
Comment 5 2012-03-28 10:09:50 PDT
Just FYI, I checked the other implementations of animatedLocalTransform(). There is only one, in SVGStyledTransformableElement, and it already had the exact check I added. Maybe in the future we should require that changes to implementations of a method check for all other implementations to see if they need the same fix. We can just raise the issue in reviews.
Stephen Chenney
Comment 6 2012-03-28 13:40:45 PDT
*** Bug 81992 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.