[Webkit-unassigned] [Bug 31399] New: WebCore::SVGPathSegList::toPathData NULL pointer

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Nov 12 02:42:59 PST 2009 

https://bugs.webkit.org/show_bug.cgi?id=31399

           Summary: WebCore::SVGPathSegList::toPathData NULL pointer
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: SVG
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: eric at webkit.org


Created an attachment (id=43051)
 --> (https://bugs.webkit.org/attachment.cgi?id=43051)
Repro case

The following HTML causes a NULL pointer in
"WebCore::SVGPathSegList::toPathData" because "pathSegType" attribute is NULL:

<SCRIPT>
  svg_path=document.createElementNS("http://www.w3.org/2000/svg", "path");
  svg_path.pathSegList.initialize();
  svg_path.getPointAtLength();
</SCRIPT>

Below is the code to the function with an indicator where the crash happens:

Path SVGPathSegList::toPathData()
{
    // FIXME : This should also support non-normalized PathSegLists
    Path pathData;
    ExceptionCode ec = 0;
    int len = numberOfItems();
    for (int i = 0; i < len; ++i) {
        SVGPathSeg* segment = getItem(i, ec).get();
        switch (segment->pathSegType()) {                    // *** B00M ***
            case SVGPathSeg::PATHSEG_MOVETO_ABS:
            {
                SVGPathSegMovetoAbs* moveTo =
static_cast<SVGPathSegMovetoAbs*>(segment);
                pathData.moveTo(FloatPoint(moveTo->x(), moveTo->y()));
                break;
            }
            case SVGPathSeg::PATHSEG_LINETO_ABS:
            {
                SVGPathSegLinetoAbs* lineTo =
static_cast<SVGPathSegLinetoAbs*>(segment);
                pathData.addLineTo(FloatPoint(lineTo->x(), lineTo->y()));
                break;
            }
            case SVGPathSeg::PATHSEG_CURVETO_CUBIC_ABS:
            {
                SVGPathSegCurvetoCubicAbs* curveTo =
static_cast<SVGPathSegCurvetoCubicAbs*>(segment);
                pathData.addBezierCurveTo(FloatPoint(curveTo->x1(),
curveTo->y1()),
                                          FloatPoint(curveTo->x2(),
curveTo->y2()),
                                          FloatPoint(curveTo->x(),
curveTo->y()));
                break;
            }
            case SVGPathSeg::PATHSEG_CLOSEPATH:
                pathData.closeSubpath();
                break;
            default:
                ASSERT(false); // FIXME: This only works with
normalized/processed path data.
                break;
        }
    }

    return pathData;
}

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list