Changeset 93477 in webkit

Timestamp:

Aug 20, 2011 12:30:57 AM (13 years ago)

Author:

commit-queue@webkit.org

Message:

OOB Read in WebCore::SVGAnimationElement
​https://bugs.webkit.org/show_bug.cgi?id=65858

Patch by Ken Buchanan <​kenrb@chromium.org> on 2011-08-20
Reviewed by Nikolas Zimmermann.

Source/WebCore:

Potential crash resulting from incorrect keySpline array lengths. This fix validates the length in startedActiveInterval.

Test: svg/animations/animate-calcMode-spline-crash-bad-array-length.xhtml

• svg/SVGAnimationElement.cpp:

(WebCore::SVGAnimationElement::parseMappedAttribute):
(WebCore::SVGAnimationElement::calculateKeyTimesIndex):

LayoutTests:

Added test case covering keySpline array length problem.

• svg/animations/animate-calcMode-spline-crash-bad-array-length-expected.txt: Added.
• svg/animations/animate-calcMode-spline-crash-bad-array-length.xhtml: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff, 1 prop)
• LayoutTests/svg/animations/animate-calcMode-spline-crash-bad-array-length-expected.txt (added)
• LayoutTests/svg/animations/animate-calcMode-spline-crash-bad-array-length.xhtml (added)
• Source/WebCore/ChangeLog (modified) (1 diff, 1 prop)
• Source/WebCore/svg/SVGAnimationElement.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-08-20  Ken Buchanan  <kenrb@chromium.org>
+
+        OOB Read in WebCore::SVGAnimationElement
+        https://bugs.webkit.org/show_bug.cgi?id=65858
+
+        Reviewed by Nikolas Zimmermann.
+
+        Added test case covering keySpline array length problem.
+
+        * svg/animations/animate-calcMode-spline-crash-bad-array-length-expected.txt: Added.
+        * svg/animations/animate-calcMode-spline-crash-bad-array-length.xhtml: Added.
+
 2011-08-19  Sheriff Bot  <webkit.review.bot@gmail.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-08-20  Ken Buchanan  <kenrb@chromium.org>
+
+        OOB Read in WebCore::SVGAnimationElement
+        https://bugs.webkit.org/show_bug.cgi?id=65858
+
+        Reviewed by Nikolas Zimmermann.
+
+        Potential crash resulting from incorrect keySpline array lengths. This fix validates the length in startedActiveInterval.
+
+        Test: svg/animations/animate-calcMode-spline-crash-bad-array-length.xhtml
+
+        * svg/SVGAnimationElement.cpp:
+        (WebCore::SVGAnimationElement::parseMappedAttribute):
+        (WebCore::SVGAnimationElement::calculateKeyTimesIndex):
+
 2011-08-19  Sheriff Bot  <webkit.review.bot@gmail.com>
 

trunk/Source/WebCore/svg/SVGAnimationElement.cpp

@@ -414 +414 @@
     unsigned index;
     unsigned keyTimesCount = m_keyTimes.size();
-    for (index = 1; index < keyTimesCount; ++index) {
+    // Compare index + 1 to keyTimesCount because the last keyTimes entry is
+    // required to be 1, and percent can never exceed 1; i.e., the second last
+    // keyTimes entry defines the beginning of the final interval
+    for (index = 1; index + 1 < keyTimesCount; ++index) {
         if (m_keyTimes[index] > percent)
             break;
@@ -552 +555 @@
         unsigned splinesCount = m_keySplines.size() + 1;
         if ((fastHasAttribute(SVGNames::keyPointsAttr) && m_keyPoints.size() != splinesCount)
-            || (animationMode == ValuesAnimation && m_values.size() != splinesCount))
+            || (animationMode == ValuesAnimation && m_values.size() != splinesCount)
+            || (fastHasAttribute(SVGNames::keyTimesAttr) && m_keyTimes.size() != splinesCount))
             return;
     }