Reviewed by Niko.
The only path commands that can leave numbers trailing the command processing
are 'm' and 'M', in which trailing numbers are parsed as arguments to an
implicit lineto command. In any case we should just terminate as an invalid
path.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@28574
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2007-12-09 Oliver Hunt <oliver@apple.com>
+
+ Reviewed by Niko.
+
+ Prevent unlimited iteration in the case of invalid path data.
+
+ The only path commands that can leave numbers trailing the command processing
+ are 'm' and 'M', in which trailing numbers are parsed as arguments to an
+ implicit lineto command. In any case we should just terminate as an invalid
+ path.
+
+ * svg/dom/path-parser-expected.txt:
+ * svg/dom/path-parser.html:
+
2007-12-08 Sam Weinig <sam@webkit.org>
Rubber-stamped by Adam Roben.
Could not parse:
Could not parse: M
Could not parse: M
+Parsed as 2 command(s) [MZ]: M1,1Z0
PASS successfullyParsed is true
TEST COMPLETE
}
parsePath(pathString);
}
-
// Empty-ish paths
parsePath("");
parsePath("M");
parsePath("M" + String.fromCharCode(0));
+ // Edge case paths:
+ parsePath("M1,1Z0");
}
-
fuzz();
successfullyParsed = true;
+2007-12-09 Oliver Hunt <oliver@apple.com>
+
+ Reviewed by Niko.
+
+ Prevent unlimited iteration in the case of invalid path data.
+
+ The only path commands that can leave numbers trailing the command processing
+ are 'm' and 'M', in which trailing numbers are parsed as arguments to an
+ implicit lineto command. In any case we should just terminate as an invalid
+ path.
+
+ * svg/SVGParserUtilities.cpp:
+ (WebCore::SVGPathParser::parseSVG):
+
2007-12-09 Luca Bruno <lethalman88@gmail.com>
Reviewed by Alp Toker.
command = 'L';
else if (command == 'm')
command = 'l';
+ else
+ // Garbage data at the end of the path
+ return false;
} else
command = *(ptr++);
git://git.webkit.org / WebKit-https.git / commitdiff