[Webkit-unassigned] [Bug 18859] New: SVGRootInlineBox::buildTextChunks can do an invalid downcast

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri May 2 17:19:56 PDT 2008


http://bugs.webkit.org/show_bug.cgi?id=18859

           Summary: SVGRootInlineBox::buildTextChunks can do an invalid
                    downcast
           Product: WebKit
           Version: 526+ (Nightly build)
          Platform: PC
        OS/Version: Mac OS X 10.5
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: SVG
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: myrdred at gmail.com


rendering/SVGRootInlineBox.cpp:1382:

            Node* node = text->element()->parent();
            if (node && node->isSVGElement())
                textContent = static_cast<SVGTextContentElement*>(node);
            ASSERT(textContent);

The problem is that the parent of the element node may not be an
SVGTextContentElement. For example, in this SVG:

<svg xmlns="http://www.w3.org/2000/svg">
  <text>
    <a>Oh snap!</a>
  </text>
</svg>

...the parent node is an SVGAElement, which doesn't inherit
SVGTextContentElement. To see this more clearly, replace the code above with:

            Node* node = text->element()->parent();
            if (node && node->isSVGElement()) {
                ASSERT(static_cast<SVGElement*>(node)->isTextContent());
                textContent = static_cast<SVGTextContentElement*>(node);
            }
            ASSERT(textContent);

Build, run Safari, load above SVG, earth-shattering kaboom.


-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the webkit-unassigned mailing list