SVGAnimationElement::currentValuesForValuesAnimation crash
authorfmalita@chromium.org <fmalita@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 16 Jul 2012 20:31:54 +0000 (20:31 +0000)
committerfmalita@chromium.org <fmalita@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 16 Jul 2012 20:31:54 +0000 (20:31 +0000)
https://bugs.webkit.org/show_bug.cgi?id=91326

Reviewed by Simon Fraser.

SVGSMILElement::progress() assumes that seekToIntervalCorrespondingToTime() always
lands inside a defined interval, but one can force arbitrary time offsets using
setCurrentTime(). This patch adds logic for handling non-interval time offsets
gracefully.

Source/WebCore:

Test: svg/animations/smil-setcurrenttime-crash.svg

* svg/animation/SVGSMILElement.cpp:
(WebCore::SVGSMILElement::progress):

LayoutTests:

* svg/animations/smil-setcurrenttime-crash-expected.txt: Added.
* svg/animations/smil-setcurrenttime-crash.svg: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@122755 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/svg/animations/smil-setcurrenttime-crash-expected.txt [new file with mode: 0644]
LayoutTests/svg/animations/smil-setcurrenttime-crash.svg [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/svg/animation/SVGSMILElement.cpp

index b88c36f..8fb8623 100644 (file)
@@ -1,3 +1,18 @@
+2012-07-16  Florin Malita  <fmalita@chromium.org>
+
+        SVGAnimationElement::currentValuesForValuesAnimation crash
+        https://bugs.webkit.org/show_bug.cgi?id=91326
+
+        Reviewed by Simon Fraser.
+
+        SVGSMILElement::progress() assumes that seekToIntervalCorrespondingToTime() always
+        lands inside a defined interval, but one can force arbitrary time offsets using
+        setCurrentTime(). This patch adds logic for handling non-interval time offsets
+        gracefully.
+
+        * svg/animations/smil-setcurrenttime-crash-expected.txt: Added.
+        * svg/animations/smil-setcurrenttime-crash.svg: Added.
+
 2012-07-16  W. James MacLean  <wjmaclean@chromium.org>
 
         [chromium] Unreviewed gardening. Layout Test fast/frames/calculate-fixed.html is flaky
diff --git a/LayoutTests/svg/animations/smil-setcurrenttime-crash-expected.txt b/LayoutTests/svg/animations/smil-setcurrenttime-crash-expected.txt
new file mode 100644 (file)
index 0000000..2a6c902
--- /dev/null
@@ -0,0 +1 @@
+PASS: not crashing.
diff --git a/LayoutTests/svg/animations/smil-setcurrenttime-crash.svg b/LayoutTests/svg/animations/smil-setcurrenttime-crash.svg
new file mode 100644 (file)
index 0000000..c53d94e
--- /dev/null
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg">
+  <!-- Test for https://bugs.webkit.org/show_bug.cgi?id=91326 -->
+  <rect>
+    <animate attributeName="fill" begin="1s; 10s" dur="3s" fill="freeze" values="#000;#fff"/>
+  </rect>
+  <text>PASS: not crashing.</text>
+
+  <script>
+    if (window.testRunner)
+      testRunner.dumpAsText();
+
+    document.documentElement.setCurrentTime(5);
+  </script>
+</svg>
+
index 10ec088..6c4eb86 100644 (file)
@@ -1,3 +1,20 @@
+2012-07-16  Florin Malita  <fmalita@chromium.org>
+
+        SVGAnimationElement::currentValuesForValuesAnimation crash
+        https://bugs.webkit.org/show_bug.cgi?id=91326
+
+        Reviewed by Simon Fraser.
+
+        SVGSMILElement::progress() assumes that seekToIntervalCorrespondingToTime() always
+        lands inside a defined interval, but one can force arbitrary time offsets using
+        setCurrentTime(). This patch adds logic for handling non-interval time offsets
+        gracefully.
+
+        Test: svg/animations/smil-setcurrenttime-crash.svg
+
+        * svg/animation/SVGSMILElement.cpp:
+        (WebCore::SVGSMILElement::progress):
+
 2012-07-16  Joshua Netterfield  <jnetterfield@rim.com>
 
         [BlackBerry] Upstream WebGL Code
index d59cfff..0dc6a8a 100644 (file)
@@ -1043,7 +1043,11 @@ bool SVGSMILElement::progress(SMILTime elapsed, SVGSMILElement* resultElement, b
     // This call may obtain a new interval -- never call calculateAnimationPercentAndRepeat() before!
     if (seekToTime) {
         seekToIntervalCorrespondingToTime(elapsed);
-        ASSERT(elapsed >= m_intervalBegin);
+        if (elapsed < m_intervalBegin) {
+            // elapsed is not within an interval.
+            m_nextProgressTime = m_intervalBegin;
+            return false;
+        }
     }
 
     unsigned repeat = 0;