Changeset 146515 in webkit

Timestamp:

Mar 21, 2013 1:57:35 PM (11 years ago)

Author:

schenney@chromium.org

Message:

SVG text path referencing parent text infinite loops
​https://bugs.webkit.org/show_bug.cgi?id=112078

Reviewed by Philip Rogers.

Source/WebCore:

We do not check the target type when adding a resource reference for
SVG Text Path's URI. This goes horribly wrong when the target is the
text path's parent text element. In this patch we check that the target
element of the text path is indeed a path element, as the spec
requires. No other element type is allowed.

Note that RenderSVGTextPath enforces this check in the renderer code
also, so if we get past this check via pending resources, it doesn't
matter. You can't get into this situation with a pending reference
because, by definition, the parent must be defined before the text
path child.

Test: svg/text/textpath-referencing-text-crash.svg

• svg/SVGTextPathElement.cpp:

(WebCore::SVGTextPathElement::buildPendingResource):

LayoutTests:

• svg/text/textpath-referencing-text-crash-expected.txt: Added.
• svg/text/textpath-referencing-text-crash.svg: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/svg/text/textpath-referencing-text-crash-expected.txt (added)
• LayoutTests/svg/text/textpath-referencing-text-crash.svg (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/svg/SVGTextPathElement.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2013-03-21  Stephen Chenney  <schenney@chromium.org>
+
+        SVG text path referencing parent text infinite loops
+        https://bugs.webkit.org/show_bug.cgi?id=112078
+
+        Reviewed by Philip Rogers.
+
+        * svg/text/textpath-referencing-text-crash-expected.txt: Added.
+        * svg/text/textpath-referencing-text-crash.svg: Added.
+
 2013-03-21  Philip Rogers  <pdr@google.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2013-03-21  Stephen Chenney  <schenney@chromium.org>
+
+        SVG text path referencing parent text infinite loops
+        https://bugs.webkit.org/show_bug.cgi?id=112078
+
+        Reviewed by Philip Rogers.
+
+        We do not check the target type when adding a resource reference for
+        SVG Text Path's URI. This goes horribly wrong when the target is the
+        text path's parent text element. In this patch we check that the target
+        element of the text path is indeed a path element, as the spec
+        requires. No other element type is allowed.
+
+        Note that RenderSVGTextPath enforces this check in the renderer code
+        also, so if we get past this check via pending resources, it doesn't
+        matter. You can't get into this situation with a pending reference
+        because, by definition, the parent must be defined before the text
+        path child.
+
+        Test: svg/text/textpath-referencing-text-crash.svg
+
+        * svg/SVGTextPathElement.cpp:
+        (WebCore::SVGTextPathElement::buildPendingResource):
+
 2013-03-21  Joshua Bell  <jsbell@chromium.org>
 

trunk/Source/WebCore/svg/SVGTextPathElement.cpp

@@ -172 +172 @@
             ASSERT(hasPendingResources());
         }
-    } else if (target->isSVGElement()) {
+    } else if (target->hasTagName(SVGNames::pathTag)) {
         // Register us with the target in the dependencies map. Any change of hrefElement
         // that leads to relayout/repainting now informs us, so we can react to it.