Commit 6f1de057 authored by schenney@chromium.org's avatar schenney@chromium.org

SVG text path referencing parent text infinite loops

https://bugs.webkit.org/show_bug.cgi?id=112078

Reviewed by Philip Rogers.

Source/WebCore:

We do not check the target type when adding a resource reference for
SVG Text Path's URI. This goes horribly wrong when the target is the
text path's parent text element. In this patch we check that the target
element of the text path is indeed a path element, as the spec
requires. No other element type is allowed.

Note that RenderSVGTextPath enforces this check in the renderer code
also, so if we get past this check via pending resources, it doesn't
matter. You can't get into this situation with a pending reference
because, by definition, the parent must be defined before the text
path child.

Test: svg/text/textpath-referencing-text-crash.svg

* svg/SVGTextPathElement.cpp:
(WebCore::SVGTextPathElement::buildPendingResource):

LayoutTests:

* svg/text/textpath-referencing-text-crash-expected.txt: Added.
* svg/text/textpath-referencing-text-crash.svg: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@146515 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 93ad3e30
2013-03-21 Stephen Chenney <schenney@chromium.org>
SVG text path referencing parent text infinite loops
https://bugs.webkit.org/show_bug.cgi?id=112078
Reviewed by Philip Rogers.
* svg/text/textpath-referencing-text-crash-expected.txt: Added.
* svg/text/textpath-referencing-text-crash.svg: Added.
2013-03-21 Philip Rogers <pdr@google.com>
Correct bisector angle calculation for markers
Test Passes if there is no crash. See bug https://bugs.webkit.org/show_bug.cgi?id=112078.
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<text id="a" font-size="0">
<textPath xlink:href="#a"></textPath>
</text>
<text>Test Passes if there is no crash. See bug https://bugs.webkit.org/show_bug.cgi?id=112078.</text>
<script>
if (window.testRunner)
testRunner.dumpAsText();
</script>
</svg>
2013-03-21 Stephen Chenney <schenney@chromium.org>
SVG text path referencing parent text infinite loops
https://bugs.webkit.org/show_bug.cgi?id=112078
Reviewed by Philip Rogers.
We do not check the target type when adding a resource reference for
SVG Text Path's URI. This goes horribly wrong when the target is the
text path's parent text element. In this patch we check that the target
element of the text path is indeed a path element, as the spec
requires. No other element type is allowed.
Note that RenderSVGTextPath enforces this check in the renderer code
also, so if we get past this check via pending resources, it doesn't
matter. You can't get into this situation with a pending reference
because, by definition, the parent must be defined before the text
path child.
Test: svg/text/textpath-referencing-text-crash.svg
* svg/SVGTextPathElement.cpp:
(WebCore::SVGTextPathElement::buildPendingResource):
2013-03-21 Joshua Bell <jsbell@chromium.org>
IndexedDB: Remove onVersionChange(string) plumbing
......@@ -171,7 +171,7 @@ void SVGTextPathElement::buildPendingResource()
document()->accessSVGExtensions()->addPendingResource(id, this);
ASSERT(hasPendingResources());
}
} else if (target->isSVGElement()) {
} else if (target->hasTagName(SVGNames::pathTag)) {
// Register us with the target in the dependencies map. Any change of hrefElement
// that leads to relayout/repainting now informs us, so we can react to it.
document()->accessSVGExtensions()->addElementReferencingTarget(this, toSVGElement(target));
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment