[webkit-reviews] review requested: [Bug 40837] Chrome/Safari Crashes on SVG Image : [Attachment 59127] Proposed patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jun 18 10:01:35 PDT 2010
W. James MacLean <wjmaclean at chromium.org> has asked for review:
Bug 40837: Chrome/Safari Crashes on SVG Image
https://bugs.webkit.org/show_bug.cgi?id=40837
Attachment 59127: Proposed patch
https://bugs.webkit.org/attachment.cgi?id=59127&action=review
------- Additional Comments from W. James MacLean <wjmaclean at chromium.org>
This patch is marked for review to discuss the approach to fixing the bug, and
does not (yet) include a simplified test and changelog comments.
The bug appears to occur in
SVGRootInlineBox::layoutInlineBoxes(InlineFlowBox* start,
Vector<SVGChar>::iterator& it, int& lowX, int& highX, int& lowY, int& highY)
when a non-text InlineFlowBox is encountered that has no children. In this case
the default values
int minX = INT_MAX;
int minY = INT_MAX;
int maxX = INT_MIN;
int maxY = INT_MIN;
are retained and lead to the current InlineBox being assigned unrealistically
large (x,y) coordinates.
These coordinates then lead to unrealistically large bounding rects, causing
the platform-level renderers to fail.
The proposed patch exits, leaving the default size for the InlineBox, which
appears to work (performance may be slow, but this appears to be a separate
issue with the platform-level filters).
More information about the webkit-reviews
mailing list