[Webkit-unassigned] [Bug 18859] New: SVGRootInlineBox::buildTextChunks can do an invalid downcast
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri May 2 17:19:56 PDT 2008
http://bugs.webkit.org/show_bug.cgi?id=18859
Summary: SVGRootInlineBox::buildTextChunks can do an invalid
downcast
Product: WebKit
Version: 526+ (Nightly build)
Platform: PC
OS/Version: Mac OS X 10.5
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: SVG
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: myrdred at gmail.com
rendering/SVGRootInlineBox.cpp:1382:
Node* node = text->element()->parent();
if (node && node->isSVGElement())
textContent = static_cast<SVGTextContentElement*>(node);
ASSERT(textContent);
The problem is that the parent of the element node may not be an
SVGTextContentElement. For example, in this SVG:
<svg xmlns="http://www.w3.org/2000/svg">
<text>
<a>Oh snap!</a>
</text>
</svg>
...the parent node is an SVGAElement, which doesn't inherit
SVGTextContentElement. To see this more clearly, replace the code above with:
Node* node = text->element()->parent();
if (node && node->isSVGElement()) {
ASSERT(static_cast<SVGElement*>(node)->isTextContent());
textContent = static_cast<SVGTextContentElement*>(node);
}
ASSERT(textContent);
Build, run Safari, load above SVG, earth-shattering kaboom.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list