Skip to content
  • pdr@google.com's avatar
    Prevent NaN offset values in ElementTimeControl. · d3188d91
    pdr@google.com authored
    https://bugs.webkit.org/show_bug.cgi?id=100322
    
    Reviewed by Abhishek Arya.
    
    Source/WebCore:
    
    NaN values can cause ElementTimeControl to go back in time!
    If a value of NaN is passed to ElementTimeControl::beginElementAt(offset),
    subsequent sorting will cause an assert in SVGSMILElement::findInstanceTime
    because NaN values are not properly sorted. NaN SMILTime values
    should not be allowed at all, so this patch adds a check for them in
    ElementTimeControl's setters.
    
    This patch also adds preventative asserts to catch if SMILTime is ever
    initialized with NaN, or if addEndTime/addBeginTime are ever called
    with NaN values.
    
    Test: svg/custom/elementTimeControl-nan-crash.html
    
    * svg/SVGAnimationElement.cpp:
    (WebCore::SVGAnimationElement::beginElementAt):
    (WebCore::SVGAnimationElement::endElementAt):
    * svg/animation/SMILTime.h:
    (WebCore::SMILTime::SMILTime):
    * svg/animation/SVGSMILElement.cpp:
    (WebCore::SVGSMILElement::addBeginTime):
    (WebCore::SVGSMILElement::addEndTime):
    
    LayoutTests:
    
    * svg/custom/elementTimeControl-nan-crash-expected.txt: Added.
    * svg/custom/elementTimeControl-nan-crash.html: Added.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@132724 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    d3188d91