[Webkit-unassigned] [Bug 40837] Chrome/Safari Crashes on SVG Image
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jun 18 10:01:35 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=40837
W. James MacLean <wjmaclean at chromium.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #59127| |review?
Flag| |
--- Comment #1 from W. James MacLean <wjmaclean at chromium.org> 2010-06-18 10:01:35 PST ---
Created an attachment (id=59127)
--> (https://bugs.webkit.org/attachment.cgi?id=59127)
Proposed patch
This patch is marked for review to discuss the approach to fixing the bug, and does not (yet) include a simplified test and changelog comments.
The bug appears to occur in
SVGRootInlineBox::layoutInlineBoxes(InlineFlowBox* start, Vector<SVGChar>::iterator& it, int& lowX, int& highX, int& lowY, int& highY)
when a non-text InlineFlowBox is encountered that has no children. In this case the default values
int minX = INT_MAX;
int minY = INT_MAX;
int maxX = INT_MIN;
int maxY = INT_MIN;
are retained and lead to the current InlineBox being assigned unrealistically large (x,y) coordinates.
These coordinates then lead to unrealistically large bounding rects, causing the platform-level renderers to fail.
The proposed patch exits, leaving the default size for the InlineBox, which appears to work (performance may be slow, but this appears to be a separate issue with the platform-level filters).
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list