[Webkit-unassigned] [Bug 38680] New: FloatRect::enclosingIntRect performs unsafe type conversion float -> int

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu May 6 13:20:13 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=38680

           Summary: FloatRect::enclosingIntRect performs unsafe type
                    conversion float -> int
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: Mac OS X 10.5
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: SVG
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: wjmaclean at chromium.org


Steps to Reproduce:

Render the attached SVG file (mask-excessive-malloc.svg, from the existing
layout tests directory)

Actual output: dumping the render tree gives

layer at (0,0) size 800x600
  RenderView at (0,0) size 800x600
layer at (0,0) size 800x600
  RenderSVGRoot {svg} at (0,0) size 800x600
    RenderSVGResourceMasker {mask} [id="mask"] [maskUnits=objectBoundingBox]
[maskContentUnits=userSpaceOnUse]
      RenderPath {rect} at (0,0) size 0x0 [fill={[type=SOLID] [color=#FFFFFF]}]
[data="M0.00,0.00 L2147483648.00,0.00 L2147483648.00,2147483648.00
L0.00,2147483648.00 Z"]
    RenderPath {path} at (200,200) size 100x200 [fill={[type=SOLID]
[color=#0000FF]}] [data="M200.00,200.00 L300.00,200.00 L300.00,400.00
L200.00,400.00 Z"]
      [masker="mask"] RenderSVGResourceMasker {mask} at (190,180) size
214748364800.00x429496729600.00

Expected output: the render tree should look like (note size of first
RenderPath object):


layer at (0,0) size 800x600
  RenderView at (0,0) size 800x600
layer at (0,0) size 800x600
  RenderSVGRoot {svg} at (0,0) size 800x600
    RenderSVGResourceMasker {mask} [id="mask"] [maskUnits=objectBoundingBox]
[maskContentUnits=userSpaceOnUse]
      RenderPath {rect} at (0,0) size 800x600 [fill={[type=SOLID]
[color=#FFFFFF]}] [data="M0.00,0.00 L2147483648.00,0.00
L2147483648.00,2147483648.00 L0.00,2147483648.00 Z"]
    RenderPath {path} at (200,200) size 100x200 [fill={[type=SOLID]
[color=#0000FF]}] [data="M200.00,200.00 L300.00,200.00 L300.00,400.00
L200.00,400.00 Z"]
      [masker="mask"] RenderSVGResourceMasker {mas


Additional information:

The underlying cause appears to be an unsafe float-> int conversion in
FloatRect::enclosingIntRect, where static_cast<int> is used on a float outside
the range representable by int.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list