[webkit-changes] cvs commit: WebCore/ksvg2/svg
SVGTransformableImpl.cpp
Eric
eseidel at opensource.apple.com
Tue Dec 13 13:25:14 PST 2005
eseidel 05/12/13 13:25:13
Modified: . ChangeLog
ksvg2/svg SVGTransformableImpl.cpp
Log:
Bug #: 6061
Submitted by: eseidel
Reviewed by: darin
Fix crash on malformed transform attributes and transforms with
trailing spaces:
http://bugzilla.opendarwin.org/show_bug.cgi?id=6061
* ksvg2/svg/SVGTransformableImpl.cpp:
(SVGTransformableImpl::parseTransformAttribute):
Revision Changes Path
1.521 +11 -0 WebCore/ChangeLog
Index: ChangeLog
===================================================================
RCS file: /cvs/root/WebCore/ChangeLog,v
retrieving revision 1.520
retrieving revision 1.521
diff -u -r1.520 -r1.521
--- ChangeLog 13 Dec 2005 11:46:51 -0000 1.520
+++ ChangeLog 13 Dec 2005 21:25:07 -0000 1.521
@@ -1,3 +1,14 @@
+2005-12-13 Eric Seidel <eseidel at apple.com>
+
+ Reviewed by darin.
+
+ Fix crash on malformed transform attributes and transforms with
+ trailing spaces:
+ http://bugzilla.opendarwin.org/show_bug.cgi?id=6061
+
+ * ksvg2/svg/SVGTransformableImpl.cpp:
+ (SVGTransformableImpl::parseTransformAttribute):
+
2005-12-13 Maciej Stachowiak <mjs at apple.com>
- build fix for last-minute part of previous change
1.9 +31 -23 WebCore/ksvg2/svg/SVGTransformableImpl.cpp
Index: SVGTransformableImpl.cpp
===================================================================
RCS file: /cvs/root/WebCore/ksvg2/svg/SVGTransformableImpl.cpp,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- SVGTransformableImpl.cpp 21 Nov 2005 08:29:43 -0000 1.8
+++ SVGTransformableImpl.cpp 13 Dec 2005 21:25:13 -0000 1.9
@@ -23,6 +23,7 @@
#include "config.h"
#include <qregexp.h>
#include <qstringlist.h>
+#include <kxmlcore/PassRefPtr.h>
#include <kdom/core/AttrImpl.h>
@@ -36,6 +37,7 @@
#include "SVGStyledElementImpl.h"
#include "SVGDOMImplementationImpl.h"
#include "SVGAnimatedTransformListImpl.h"
+#include "ksvg.h"
using namespace KSVG;
@@ -53,12 +55,15 @@
return;
// Split string for handling 1 transform statement at a time
- QStringList subtransforms = QStringList::split(')', KDOM::DOMString(transform).qstring());
+ QStringList subtransforms = QStringList::split(')', KDOM::DOMString(transform).qstring().simplifyWhiteSpace());
QStringList::ConstIterator it = subtransforms.begin();
QStringList::ConstIterator end = subtransforms.end();
for(; it != end; ++it)
{
QStringList subtransform = QStringList::split('(', (*it));
+
+ if (subtransform.count() < 2)
+ break; // invalid transform, ignore.
subtransform[0] = subtransform[0].stripWhiteSpace().lower();
subtransform[1] = subtransform[1].simplifyWhiteSpace();
@@ -76,6 +81,9 @@
pos += reg.matchedLength();
}
}
+
+ if (params.count() < 1)
+ break;
if(subtransform[0].startsWith(QString::fromLatin1(";")) ||
subtransform[0].startsWith(QString::fromLatin1(",")))
@@ -83,50 +91,50 @@
subtransform[0] = subtransform[0].right(subtransform[0].length() - 1);
}
- SVGTransformImpl *t = new SVGTransformImpl();
+ PassRefPtr<SVGTransformImpl> t = new SVGTransformImpl();
if(subtransform[0] == QString::fromLatin1("rotate"))
{
- if(params.count() == 3)
+ if (params.count() == 3)
t->setRotate(params[0].toDouble(),
params[1].toDouble(),
params[2].toDouble());
- else
+ else if (params.count() == 1)
t->setRotate(params[0].toDouble(), 0, 0);
}
else if(subtransform[0] == QString::fromLatin1("translate"))
{
- if(params.count() == 2)
+ if (params.count() == 2)
t->setTranslate(params[0].toDouble(), params[1].toDouble());
- else // Spec: if only one param given, assume 2nd param to be 0
+ else if (params.count() == 1) // Spec: if only one param given, assume 2nd param to be 0
t->setTranslate(params[0].toDouble(), 0);
}
else if(subtransform[0] == QString::fromLatin1("scale"))
{
- if(params.count() == 2)
+ if (params.count() == 2)
t->setScale(params[0].toDouble(), params[1].toDouble());
- else // Spec: if only one param given, assume uniform scaling
+ else if (params.count() == 1) // Spec: if only one param given, assume uniform scaling
t->setScale(params[0].toDouble(), params[0].toDouble());
}
- else if(subtransform[0] == QString::fromLatin1("skewx"))
+ else if(subtransform[0] == QString::fromLatin1("skewx") && (params.count() == 1))
t->setSkewX(params[0].toDouble());
- else if(subtransform[0] == QString::fromLatin1("skewy"))
+ else if(subtransform[0] == QString::fromLatin1("skewy") && (params.count() == 1))
t->setSkewY(params[0].toDouble());
- else if(subtransform[0] == QString::fromLatin1("matrix"))
+ else if(subtransform[0] == QString::fromLatin1("matrix") && (params.count() == 6))
{
- if(params.count() >= 6)
- {
- SVGMatrixImpl *ret = new SVGMatrixImpl(params[0].toDouble(),
- params[1].toDouble(),
- params[2].toDouble(),
- params[3].toDouble(),
- params[4].toDouble(),
- params[5].toDouble());
- t->setMatrix(ret);
- }
+ SVGMatrixImpl *ret = new SVGMatrixImpl(params[0].toDouble(),
+ params[1].toDouble(),
+ params[2].toDouble(),
+ params[3].toDouble(),
+ params[4].toDouble(),
+ params[5].toDouble());
+ t->setMatrix(ret);
}
-
- list->appendItem(t);
+
+ if (t->type() == SVG_TRANSFORM_UNKNOWN)
+ break; // failed to parse a valid transform, abort.
+
+ list->appendItem(t.release());
}
}
More information about the webkit-changes
mailing list