SVGSVGElement checkIntersection and checkEnclosure Mem corruption
authorrwlbuis@webkit.org <rwlbuis@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 16 May 2012 14:47:05 +0000 (14:47 +0000)
committerrwlbuis@webkit.org <rwlbuis@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 16 May 2012 14:47:05 +0000 (14:47 +0000)
https://bugs.webkit.org/show_bug.cgi?id=67923

Patch by Rob Buis <rbuis@rim.com> on 2012-05-16
Reviewed by Nikolas Zimmermann.

Source/WebCore:

Only call checkIntersection/checkEnclosure when we have a valid renderer.

Test: svg/custom/intersection-list-null.svg

* svg/SVGSVGElement.cpp:
(WebCore::SVGSVGElement::checkIntersection):
(WebCore::SVGSVGElement::checkEnclosure):

LayoutTests:

Add test to check that checkIntersection/checkEnclosure do not
crash when null is used for the element parameter.

* svg/custom/intersection-list-null-expected.txt: Added.
* svg/custom/intersection-list-null.svg: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@117289 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/svg/custom/intersection-list-null-expected.txt [new file with mode: 0644]
LayoutTests/svg/custom/intersection-list-null.svg [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/svg/SVGSVGElement.cpp

index 8c8f1f5..9111fa9 100644 (file)
@@ -1,3 +1,16 @@
+2012-05-16  Rob Buis  <rbuis@rim.com>
+
+        SVGSVGElement checkIntersection and checkEnclosure Mem corruption
+        https://bugs.webkit.org/show_bug.cgi?id=67923
+
+        Reviewed by Nikolas Zimmermann.
+
+        Add test to check that checkIntersection/checkEnclosure do not
+        crash when null is used for the element parameter.
+
+        * svg/custom/intersection-list-null-expected.txt: Added.
+        * svg/custom/intersection-list-null.svg: Added.
+
 2012-05-16  Simon Hausmann  <simon.hausmann@nokia.com>
 
         Unskip fast/animation/request-animation-frame-during-modal.html that was
diff --git a/LayoutTests/svg/custom/intersection-list-null-expected.txt b/LayoutTests/svg/custom/intersection-list-null-expected.txt
new file mode 100644 (file)
index 0000000..7ef22e9
--- /dev/null
@@ -0,0 +1 @@
+PASS
diff --git a/LayoutTests/svg/custom/intersection-list-null.svg b/LayoutTests/svg/custom/intersection-list-null.svg
new file mode 100644 (file)
index 0000000..3ade9f1
--- /dev/null
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg id="root" xmlns="http://www.w3.org/2000/svg" onload="runTest()">
+  <script>
+    function runTest() {
+        if (window.layoutTestController)
+            layoutTestController.dumpAsText();
+        var root = document.documentElement;
+        root.checkIntersection(null, root.createSVGRect());
+        root.checkEnclosure(null, root.createSVGRect());
+    }
+  </script>
+  <!-- This test passes if it does not crash. -->
+  <text>PASS</text>
+</svg>
index e9990d8..72825d0 100644 (file)
@@ -1,3 +1,18 @@
+2012-05-16  Rob Buis  <rbuis@rim.com>
+
+        SVGSVGElement checkIntersection and checkEnclosure Mem corruption
+        https://bugs.webkit.org/show_bug.cgi?id=67923
+
+        Reviewed by Nikolas Zimmermann.
+
+        Only call checkIntersection/checkEnclosure when we have a valid renderer.
+
+        Test: svg/custom/intersection-list-null.svg
+
+        * svg/SVGSVGElement.cpp:
+        (WebCore::SVGSVGElement::checkIntersection):
+        (WebCore::SVGSVGElement::checkEnclosure):
+
 2012-05-16  Simon Hausmann  <simon.hausmann@nokia.com>
 
         Unreviewed, rolling out r110699.
index 330c51d..8e0f210 100644 (file)
@@ -371,11 +371,15 @@ PassRefPtr<NodeList> SVGSVGElement::getEnclosureList(const FloatRect& rect, SVGE
 
 bool SVGSVGElement::checkIntersection(SVGElement* element, const FloatRect& rect) const
 {
+    if (!element)
+        return false;
     return RenderSVGModelObject::checkIntersection(element->renderer(), rect);
 }
 
 bool SVGSVGElement::checkEnclosure(SVGElement* element, const FloatRect& rect) const
 {
+    if (!element)
+        return false;
     return RenderSVGModelObject::checkEnclosure(element->renderer(), rect);
 }