[Webkit-unassigned] [Bug 51698] New: SVG paths not sanitized before being passed through to QPainterPath

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Dec 29 01:14:06 PST 2010 

https://bugs.webkit.org/show_bug.cgi?id=51698

           Summary: SVG paths not sanitized before being passed through to
                    QPainterPath
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebKit Qt
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: s.r at visotech.at


Created an attachment (id=77606)
 --> (https://bugs.webkit.org/attachment.cgi?id=77606&action=review)
Test case

I'm not sure about the version number, as they mean nothing to me. I'm talking about the version included with Qt 4.7.

I have some JavaScript code that creates a curved path element where some coordinates are NaNs (due to a bug in the rest of my code). Apparently, QPainterPath is used to paint SVG paths, and this is where the problems occur. What happens is this:

QPainterPath::cubicTo: Adding point where x or y is NaN, results are undefined
QPainterPath::lineTo: Adding point where x or y is NaN, results are undefined
QPainterPath::cubicTo: Adding point where x or y is NaN, results are undefined
QPainterPath::lineTo: Adding point where x or y is NaN, results are undefined
QPainterPath::cubicTo: Adding point where x or y is NaN, results are undefined
QPainterPath::cubicTo: Adding point where x or y is NaN, results are undefined
QPainterPath::lineTo: Adding point where x or y is NaN, results are undefined
QPainterPath::cubicTo: Adding point where x or y is NaN, results are undefined
QPainterPath::lineTo: Adding point where x or y is NaN, results are undefined
QPainterPath::cubicTo: Adding point where x or y is NaN, results are undefined
QPainterPath::lineTo: Adding point where x or y is NaN, results are undefined
QPainterPath::cubicTo: Adding point where x or y is NaN, results are undefined
QPainterPath::lineTo: Adding point where x or y is NaN, results are undefined
QPainterPath::cubicTo: Adding point where x or y is NaN, results are undefined

and after a few seconds:

Catchpoint 1 (exception thrown), 0x0000003cb5cbcd00 in __cxa_throw () from /usr/lib64/libstdc++.so.6
(gdb) bt
#0 0x0000003cb5cbcd00 in __cxa_throw () from /usr/lib64/libstdc++.so.6
#1 0x00007ffff7b1eb25 in qBadAlloc () at global/qglobal.cpp:1996
#2 0x00007ffff6e317a7 in QVector<QPointF>::realloc (this=0x7fffffff8cb0, asize=67108863, aalloc=134217727) at ../../include/QtCore/../../src/corelib/tools/qvector.h:481
#3 0x00007ffff6e3deee in QVector<QPointF>::append (this=0x7fffffff8cb0, t=...) at ../../include/QtCore/../../src/corelib/tools/qvector.h:548
#4 0x00007ffff6e77514 in QBezier::addToPolygon (this=0x7fffffff8c70, polygon=0x7fffffff8cb0, bezier_flattening_threshold=0.5) at painting/qbezier.cpp:220
#5 0x00007ffff6ee6848 in QPainterPath::toSubpathPolygons (this=0x7fffffff9fe0, matrix=...) at painting/qpainterpath.cpp:1509
#6 0x00007ffff6ee69b4 in QPainterPath::toFillPolygons (this=0x7fffffff9fe0, matrix=...) at painting/qpainterpath.cpp:1560
#7 0x00007ffff6ee6f65 in QPainterPath::toFillPolygons (this=0x7fffffff9fe0, matrix=...) at painting/qpainterpath.cpp:1655
#8 0x00007ffff6fb8347 in QX11PaintEnginePrivate::fillPath (this=0xc60db0, path=..., gc_mode=QX11PaintEnginePrivate::PenGC, transform=true) at painting/qpaintengine_x11.cpp:1752
#9 0x00007ffff6fb8c23 in QX11PaintEngine::drawPath (this=0xc8ff60, path=...) at painting/qpaintengine_x11.cpp:1815
#10 0x00007ffff6ecee45 in QPainter::drawPath (this=0x7fffffffb6b0, path=...) at painting/qpainter.cpp:3381
#11 0x00007ffff6eceac5 in QPainter::strokePath (this=0x7fffffffb6b0, path=..., pen=...) at painting/qpainter.cpp:3293
#12 0x00007ffff578facc in WebCore::GraphicsContext::strokePath() () from /home/sr/build/qt47_debug/lib/libQtWebKit.so.4
#13 0x00007ffff59e912d in WebCore::SVGPaintServer::renderPath(WebCore::GraphicsContext*&, WebCore::RenderObject const*, WebCore::SVGPaintTargetType) const () from /home/sr/build/qt47_debug/lib/libQtWebKit.so.4
#14 0x00007ffff59e9039 in WebCore::SVGPaintServer::draw(WebCore::GraphicsContext*&, WebCore::RenderObject const*, WebCore::SVGPaintTargetType) const () from /home/sr/build/qt47_debug/lib/libQtWebKit.so.4
#15 0x00007ffff59f22f1 in WebCore::fillAndStrokePath(WebCore::Path const&, WebCore::GraphicsContext*, WebCore::RenderStyle*, WebCore::RenderPath*) () from /home/sr/build/qt47_debug/lib/libQtWebKit.so.4
#16 0x00007ffff59f2603 in WebCore::RenderPath::paint(WebCore::RenderObject::PaintInfo&, int, int) () from /home/sr/build/qt47_debug/lib/libQtWebKit.so.4
#17 0x00007ffff59f3850 in WebCore::RenderSVGContainer::paint(WebCore::RenderObject::PaintInfo&, int, int) () from /home/sr/build/qt47_debug/lib/libQtWebKit.so.4
#18 0x00007ffff59f3850 in WebCore::RenderSVGContainer::paint(WebCore::RenderObject::PaintInfo&, int, int) () from /home/sr/build/qt47_debug/lib/libQtWebKit.so.4
#19 0x00007ffff569d1aa in WebCore::RenderBox::paint(WebCore::RenderObject::PaintInfo&, int, int) () from /home/sr/build/qt47_debug/lib/libQtWebKit.so.4
#20 0x00007ffff59fd101 in WebCore::RenderSVGRoot::paint(WebCore::RenderObject::PaintInfo&, int, int) () from /home/sr/build/qt47_debug/lib/libQtWebKit.so.4
#21 0x00007ffff56df20c in WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) () from /home/sr/build/qt47_debug/lib/libQtWebKit.so.4
#22 0x00007ffff56df478 in WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) () from /home/sr/build/qt47_debug/lib/libQtWebKit.so.4
#23 0x00007ffff56df478 in WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) () from /home/sr/build/qt47_debug/lib/libQtWebKit.so.4
#24 0x00007ffff56de34d in WebCore::RenderLayer::paint(WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::RenderObject*) () from /home/sr/build/qt47_debug/lib/libQtWebKit.so.4
#25 0x00007ffff5592f26 in WebCore::FrameView::paintContents(WebCore::GraphicsContext*, WebCore::IntRect const&) () from /home/sr/build/qt47_debug/lib/libQtWebKit.so.4
#26 0x00007ffff57d296e in QWebFramePrivate::renderRelativeCoords(WebCore::GraphicsContext*, QWebFrame::RenderLayer, QRegion const&) () from /home/sr/build/qt47_debug/lib/libQtWebKit.so.4
#27 0x00007ffff57d56ec in QWebFrame::render(QPainter*, QRegion const&) () from /home/sr/build/qt47_debug/lib/libQtWebKit.so.4
#28 0x00007ffff57f070c in QWebView::paintEvent(QPaintEvent*) () from /home/sr/build/qt47_debug/lib/libQtWebKit.so.4

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list