Ensure keySplines is valid in SMIL animations
authorddkilzer@apple.com <ddkilzer@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 2 Mar 2014 00:20:58 +0000 (00:20 +0000)
committerddkilzer@apple.com <ddkilzer@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 2 Mar 2014 00:20:58 +0000 (00:20 +0000)
<http://webkit.org/b/129547>
<rdar://problem/15676128>

Reviewed by Darin Adler.

Merged from Blink (patch by Philip Rogers):
https://src.chromium.org/viewvc/blink?revision=156452&view=revision
http://crbug.com/276111

    This patch fixes a crash in SMIL animations when keySplines are not
    specified. The SMIL spec is clear on this:
    http://www.w3.org/TR/2001/REC-smil-animation-20010904/#AnimFuncCalcMode
    "If there are any errors in the keyTimes specification (bad values,
    too many or too few values), the animation will have no effect."

    This patch simply checks that keyTimes is not empty. Previously,
    splinesCount was set to be m_keySplines.size() + 1 in
    SVGAnimationElement.cpp; this patch changes splinesCount to be equal
    to m_keySplines.size() to make the logic easier to follow and to
    match other checks in SVGAnimationElement::startedActiveInterval.

Source/WebCore:

Test: svg/animations/animate-keysplines-crash.html

* svg/SVGAnimationElement.cpp:
(WebCore::SVGAnimationElement::startedActiveInterval):

LayoutTests:

* svg/animations/animate-keysplines-crash-expected.txt: Added.
* svg/animations/animate-keysplines-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@164933 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/svg/animations/animate-keysplines-crash-expected.txt [new file with mode: 0644]
LayoutTests/svg/animations/animate-keysplines-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/svg/SVGAnimationElement.cpp

index f49533a44944f7a9dd3db6067c418f79adc9ea8f..f08a3df6f65d38c37b5ae235ffd124f7dc570c5c 100644 (file)
@@ -1,3 +1,30 @@
+2014-03-01  David Kilzer  <ddkilzer@apple.com>
+
+        Ensure keySplines is valid in SMIL animations
+        <http://webkit.org/b/129547>
+        <rdar://problem/15676128>
+
+        Reviewed by Darin Adler.
+
+        Merged from Blink (patch by Philip Rogers):
+        https://src.chromium.org/viewvc/blink?revision=156452&view=revision
+        http://crbug.com/276111
+
+            This patch fixes a crash in SMIL animations when keySplines are not
+            specified. The SMIL spec is clear on this:
+            http://www.w3.org/TR/2001/REC-smil-animation-20010904/#AnimFuncCalcMode
+            "If there are any errors in the keyTimes specification (bad values,
+            too many or too few values), the animation will have no effect."
+
+            This patch simply checks that keyTimes is not empty. Previously,
+            splinesCount was set to be m_keySplines.size() + 1 in
+            SVGAnimationElement.cpp; this patch changes splinesCount to be equal
+            to m_keySplines.size() to make the logic easier to follow and to
+            match other checks in SVGAnimationElement::startedActiveInterval.
+
+        * svg/animations/animate-keysplines-crash-expected.txt: Added.
+        * svg/animations/animate-keysplines-crash.html: Added.
+
 2014-03-01  Benjamin Poulain  <benjamin@webkit.org>
 
         Tighten minimumRegisterRequirements()
diff --git a/LayoutTests/svg/animations/animate-keysplines-crash-expected.txt b/LayoutTests/svg/animations/animate-keysplines-crash-expected.txt
new file mode 100644 (file)
index 0000000..7ef22e9
--- /dev/null
@@ -0,0 +1 @@
+PASS
diff --git a/LayoutTests/svg/animations/animate-keysplines-crash.html b/LayoutTests/svg/animations/animate-keysplines-crash.html
new file mode 100644 (file)
index 0000000..4c50dca
--- /dev/null
@@ -0,0 +1,28 @@
+<!DOCTYPE HTML>
+<html>
+<body>
+Test for crbug.com/276111: This test passes if it does not crash.
+<svg xmlns="http://www.w3.org/2000/svg">
+  <rect>
+      <animateMotion path="M 1 2Z" id="animateMotionElement" calcMode="spline" values="M 1 2Z; M3 4Z"/>
+  </rect>
+</svg>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+function removePathAndFinishTest() {
+    animateMotionElement.removeAttribute('path');
+    setTimeout(function() {
+        document.write("PASS");
+        if (window.testRunner)
+            testRunner.notifyDone();
+    }, 0);
+}
+
+setTimeout('removePathAndFinishTest()', 0);
+</script>
+</body>
+</html>
index 80cb40af72d6758f99906d06596a2bb642affb6b..1cf650942bba68497ee0f766acf26c2a2f93370d 100644 (file)
@@ -1,3 +1,32 @@
+2014-03-01  David Kilzer  <ddkilzer@apple.com>
+
+        Ensure keySplines is valid in SMIL animations
+        <http://webkit.org/b/129547>
+        <rdar://problem/15676128>
+
+        Reviewed by Darin Adler.
+
+        Merged from Blink (patch by Philip Rogers):
+        https://src.chromium.org/viewvc/blink?revision=156452&view=revision
+        http://crbug.com/276111
+
+            This patch fixes a crash in SMIL animations when keySplines are not
+            specified. The SMIL spec is clear on this:
+            http://www.w3.org/TR/2001/REC-smil-animation-20010904/#AnimFuncCalcMode
+            "If there are any errors in the keyTimes specification (bad values,
+            too many or too few values), the animation will have no effect."
+
+            This patch simply checks that keyTimes is not empty. Previously,
+            splinesCount was set to be m_keySplines.size() + 1 in
+            SVGAnimationElement.cpp; this patch changes splinesCount to be equal
+            to m_keySplines.size() to make the logic easier to follow and to
+            match other checks in SVGAnimationElement::startedActiveInterval.
+
+        Test: svg/animations/animate-keysplines-crash.html
+
+        * svg/SVGAnimationElement.cpp:
+        (WebCore::SVGAnimationElement::startedActiveInterval):
+
 2014-03-01  Benjamin Poulain  <benjamin@webkit.org>
 
         Tighten minimumRegisterRequirements()
index e47197c4a986e65ad5bce8dbcfc46e389d459896..cbbb090d21d9bc077d9711db7795eefd1aa2da76 100644 (file)
@@ -558,10 +558,11 @@ void SVGAnimationElement::startedActiveInterval()
     AnimationMode animationMode = this->animationMode();
     CalcMode calcMode = this->calcMode();
     if (calcMode == CalcModeSpline) {
-        unsigned splinesCount = m_keySplines.size() + 1;
-        if ((fastHasAttribute(SVGNames::keyPointsAttr) && m_keyPoints.size() != splinesCount)
-            || (animationMode == ValuesAnimation && m_values.size() != splinesCount)
-            || (fastHasAttribute(SVGNames::keyTimesAttr) && m_keyTimes.size() != splinesCount))
+        unsigned splinesCount = m_keySplines.size();
+        if (!splinesCount
+            || (fastHasAttribute(SVGNames::keyPointsAttr) && m_keyPoints.size() - 1 != splinesCount)
+            || (animationMode == ValuesAnimation && m_values.size() - 1 != splinesCount)
+            || (fastHasAttribute(SVGNames::keyTimesAttr) && m_keyTimes.size() - 1 != splinesCount))
             return;
     }