[Webkit-unassigned] [Bug 15962] New: <canvas> rendering crasher with undefined moveTo and lineWidth != 1
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Nov 12 16:50:52 PST 2007
http://bugs.webkit.org/show_bug.cgi?id=15962
Summary: <canvas> rendering crasher with undefined moveTo and
lineWidth != 1
Product: WebKit
Version: 525+ (Nightly build)
Platform: Macintosh
URL: http://darknoon.com/visuals/canvas_crasher1.html
OS/Version: Mac OS X 10.4
Status: UNCONFIRMED
Severity: Critical
Priority: P1
Component: Layout and Rendering
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: andpoul at gmail.com
Present in Safari 419.3, webkit nightly build, and Safari 3. Tested on Mac ppc
and intel.
The code in question is:
a moveTo(undefined, undefined); <- this can result from an unexpected state in
a js program
then lineTo some specific points (not sure which ones or why)
then lineWidth = 2; (must be not the default to trigger crash)
then stroke();
The linked page should crash Safari. It is basically a fuzzer that tries to
find the points to make it crash. I don't think they need to be outside the
bounds of the rendering context, as I've seen the crash without that, but it
seems to happen faster if the values are larger.
I tried to plug in the values that were displayed onscreen when webkit crashed
(see js code), but it did not trigger the crash. It appars that the condition
needs to be triggered at least twice to trigger the crash.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list